Kaspersky detects this one as Fraudpack only. The interesting thing is that KAV fails to detect the unpacked file and detects only the packer.
The malware on execution installs it's copy into %Document & Settings\All Users\Application data%\%rand%\%rand%.exe
On successful installation displays the dialogue box with message "security tool successfully installed".
Then makes an impression of scanning the system for spyware and adware. Always shows a detection count of exactly 21 threats. The threat count never changes for this rogue-ware.
The original file is deleted through a batch file dropped in the same directory.The batch file kills the initial copying files process by it's image name ( taskkill /im ) and deletes it.
The malware adds a run entry to start automatically after reboot. The real face of the malware can be seen only after reboot. On rebooting the system it kills all the user processes alerting them all as malware.
The malware after making a snapshot of all the available processes terminates them.
It doesn't make privilege escalation to kill highly privileged processes. The reason is, it doesn't want to crash the system but it just wanna annoy the user, by restricting him from running any application.
It asks the user to register the product in order to clean the malwares in the system.
It also shows pop up messages regarding the system infection.
The interesting fact in this scenario is this rogue doesn't terminates the internet explorer process(iexplore.exe).The reason may be to enable the user to make payments to register.
It also allows certain other processes to run.
List:
firefox.exe
wscntfy.exe
shutdown.exe
avcheck.exe
wuauclt.exe
soft-cleaner.exe
So if you are infected by this malware don't reboot the system.
Just open the task manager and look for a process name with random numbers and terminate them. Then do usual cleaning in registry and file system.
If you reboot the system then it is really hard to kill the process.
As most of the rogue malwares are packed with polymorphic packers I didn't find any AV company unpacking them.
Even though certain AV's detect them as a packed file(packer detection). I have seen certain security application's(even certain av's) processes gets terminated by this rogue.
This malware application is actually written in Delphi. Even manually unpacking this malware is not a impossible task, but you should be aware of anti debugging trick in the packer.
For reference in reversing delphi look for my paper "digging deplhi" at vxheavens.
