My Fun for the Day - Fake BSOD

gadgetfixup

gadgetfixup

Well-Known Member
Reaction score
1,016
Location
NWI
Some of you have probably seen this critter but it's the first time in our shop. Customer purchased a new computer system for her Son that "didn't do anything" and was getting what he thought was a BSOD. I documented this one a bit in case you guys see it.

The fake BSOD that pins the mouse to top left corner. You can't move the mouse anywhere and the overlay stays on top of all apps.

dc8059bce855a40fcea4601f4661c015.jpg


First tech hit it with everything. You name the scan and he did it. Boots system and within 5 mins this pops up. I even grabbed my trusty FRST and looked at last 30 days. Nothing. Well the bugger alters the folder and file dates so it looks like it's been there longer. The kid downloaded this on 7/29 and you can see the dates here.

d1563ea8276c21c190ed6685c70c72b3.jpg


Bitraider compressed file was the download. That windows.exe file is the bug. You can see it's dated 6/13/2015. Uploaded it to VT and only 2 of 53 anti-viruses discovered it packed. Even Kaspersky and ESET missed it. :(

6534dc0513491f63bf41ac277a923697.jpg


There she is in process explorer. To kill it you have to use your keyboard as the mouse is dead. Arrow down and ALT + E to kill it.

3429cc5c70e4aa472cb782cfda73c169.png


Here the bugger is in autoruns. Obviously I already removed the file from the folder but that shows you where it was launching from.

And here is the jewel if you want to play with it.

https://www.dropbox.com/s/xaf5ez6g8uyl6iy/windows.zip

This one will run you around in circles a bit as no system scans will pick it up and clean it.
 
TechLady said:
Like Microsoft would ever have the class for serif font BSOD. Ha.
Click to expand...
lol That's what I thought. And the text layout is all wrong.
Seems odd to go to all the effort of writing such malware to then make a shoddy attempt at reproducing the visuals when the authenticity of those is key to fooling the most victims.

I wonder what the point of this malware is? Does it install other processes that make its creators money somehow or is it merely a prank? I mean, displaying a BSOD certainly isn't the best way of ensuring your code remains on your victims PC if your plan is to send spam or capture passwords, etc.
 
I think the intent is to get you to call that toll-free "Windows helpline" phone number they have listed. That was the first thing that caught my eye, what BSOD has a phone number? LOL.
 
inbargains said:
I think the intent is to get you to call that toll-free "Windows helpline" phone number they have listed. That was the first thing that caught my eye, what BSOD has a phone number? LOL.
Click to expand...
Ah, yes, that'd make sense :D

I missed that.
 
i ran into this a while back, friend wanted the computer wiped but i got it off of it and showed him it was running like it should. im glad someone put a write-up to remove it easier than what i had to do.
 
roy simpson said:
i ran into this a while back, friend wanted the computer wiped but i got it off of it and showed him it was running like it should. im glad someone put a write-up to remove it easier than what i had to do.
Click to expand...
You are digging up OLD threads and that is frowned upon here and on most forums.
 
Porthos said:
You are digging up OLD threads and that is frowned upon here and on most forums.
Click to expand...

Except that Roy apparently encountered this little bugger in the wild not so long ago. So it's still out there (and interesting) even after all this time.

I think in this case it's good he resurrected the thread rather than starting a new one.

Thanks for sharing @roy simpson
 
Little off topic...

I came into work one day and my main office desktop was sitting on a bluescreen.
I thought that to be odd, went ahead and rebooted it and it worked fine.

Was sitting tinkering (not on the desktop) in my office and suddenly the bluescreen popped back up, yet wasn't a crash...
Realized my boss put the bluescreen screensaver on my desktop! Funny guy...

So put the "12-Ants" program on his! https://www.softwareok.com/?seite=Microsoft/12-Ants
Drove him nuts, ants kept attacking his cursor. For fun, I did it to the receptionist desktop as well. :)
 
You must log in or register to reply here.

Similar threads

Big Jim
Windows XP POSReady Repair install ?
Replies
17
Views
824
britechguy
britechguy
britechguy
Today's BSOD, Code BAD_SYSTEM_CONFIG_INFO - What's actually going on here?
Replies
13
Views
771
fincoder
fincoder
timeshifter
Trying to open Bitlocker drive results in BSOD
Replies
7
Views
681
HCHTech
HCHTech
A
BSOD on boot
Replies
17
Views
1K
ell
E
gexos
Power Panel: My new app to control common computer functions
Replies
9
Views
367
frase
frase
Back
Top