How it Works System Tools Counterfeit "Remove All Spyware"

A few days ago, some users in Startle with the application SystemTools that without them realizing these applications is "FakeAntivirus" or "Antivirus False". Malware kind ever discussed in my previous post titled FakeAV-Downloader.G. Reports can be from users who download one of the local anti-virus from his official website that then just run a fake antivirus.

A. Malware Info

Name: SystemTools
Origin: Not yet known
File Size: 397 KB (407.040 bytes)
Packer: -
Programming: Visual C + +
Icon: Random
Type: Trojan


B. About Malware

Initially, we received reports of users who received messages on Facebook and its contents is a link that when opened it will download a file named surprise.exe. Once the file is on the run, the user feel the weirdness that happened on his computer. Examples such as Firefox not open, also the Task Manager and some other application file.

In addition to some applications not open, computer desktop wallpaper on the user to change like in the picture below:


Malware type Trojan is reminiscent of the one virus that Indonesia, which had horrendous Windx Maxtrox in 2008-which also change the desktop. The success of this SystemTools spread in Indonesia are:
 # It spreads via Facebook and one of the websites that provide free downloads.
 # At the moment this SystemTools users to download from the Internet, some foreign antivirus no one has  
    detected it as malware.
Created using C + + without on-pack, this malware also has another feature. Namely the ability to change DateTimeStamp on header information. So hash MD5nya always changing although the file size is the same.
The price is also not anti-counterfeit half-hearted.
1 year license: $ 59.95
2 year license: $ 69.95
Lifetime license: $ 79.95
Lifetime Premium Support: $ 19.95

C. Files created

Once active in memory, system tools will create several files such as:

     * Create a file [random name]. tmp which is actually the image files (BMP / Bitmap) and will be used as desktop wallpaper in the folder C: \ Documents and Settings \ [user name] \ Local Settings \ Temp
     * Create a file that will be run after startup with a random name and other files without extensions in the folder C: \ Documents and Settings \ All Users \ Application Data \ [folder with a random name]

D. Results Infection

Once active in memory, this malware will block any application files, except files with the name of the file system as shown below:

Malware also raises false messages like the following picture:


Besides displaying the wallpaper  has changed  as has been shown previously, malware is also sometimes displays a Blue Screen Of Death (BSOD) that indicates it was as though the computer  system  is completely broken.

Forcing users to register in order to get the activation code and clean up all the malware have been reported by SystemTools

 To be able to run at startup, System Tools create a new registry value in:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\[nama acak], “C:\Documents and Settings\All Users\Application Data\[nama folder aca]\[nama acak].exe”