Malware fakes BSOD and convinces victims to buy Windows Defender Essentials

Published by

teaser

A bit of a warning, there's a new type of malware our on the loose that actually fakes a BSOD and then makes you purchase ‘Windows Defender Essentials’ to solve these blue screens of death..



Antivirus vendor Malwarebytes reports about the malware, which goes by the name Troubleshooter, on its website. The company has posted screenshots of the entire process, that starts with a BSOD, then continues with a fake troubleshooting wizard, which in its turn detects fake issues. In the end, the user is advised to purchase a fake antivirus product that should solve the issues reports myce:

The criminals behind the malware charge $25, to be paid by Paypal, for fraudulent software.

The Troubleshooter malware is distributed in various ways, Malwarebytes found their version of the malware in a cracked software installer. After the installer is executed, it loads several files that are responsible for showing the BSOD and the troubleshooting wizard. The software also makes a screenshot of the desktop and sends it to a fixed IP address, it’s unknown what the reasons for that are.

One of the loaded files registers itself a Windows Service that disables various shortcut keys. This method aims to make it for the user impossible to close the Windows with e.g. ALT + F4.

The troubleshooting wizard appears after the BSOD and also can’t be closed due to the shortcut keys being disabled. Finally the wizard ‘diagnoses’ the issue and ends showing all kinds of corrupted files that can only be fixed with the phony Windows Defender Essential.

Users who pay $25  for the fake antivirus software, do get a fix. If they’ve paid they are redirected to a webpage that contains the text “thankuhitechnovation”. Somehow the malware recognizes the string and terminates itself. This makes the victim believe the issue has been fixed.

Fortunately, there’s also a way to get rid of the malware without paying. A security researcher found that there’s a built-in shortcut key that opens a window that allows the victim to enter a website address. With CTRL+O, this window opens, the victim then has to enter the URL:  “http://hitechnovation.com/thankyou.txt”  which makes the malware to terminate itself, just like when one would have paid the $25.

After that, all files belonging to the malware should be removed from the computer. Malwarebytes has the removal instructions on its website.

Malware fakes BSOD and convinces victims to buy Windows Defender Essentials


Share this content
Twitter Facebook Reddit WhatsApp Email Print