Worm instead of Avira Keygen

malware_warning On a popular Bittorrent site during the last weekend there appeared a package that allegedly contains Avira AntiVir Premium and a so called keygen. A keygen is a tiny piece of software that calculates a license number for a commercial software, for free.

Now upon starting the assumed keygen, instead of providing the user with a serial number, it infects the system. It drops three files on the hard disk:
<%AllUsers Profile%>\Local Settings\Application Data\scvhost.exe
C:\Sys.exe
C:\autorun.inf

The dropped scvhost.exe also gets added to the autorun registry keys so it gets executed after every reboot. The autorun.inf and sys.exe aren’t only created on the system hard disk, but also on all removable drives. This seems to be the spreading mechanism of the worm.

If you take a closer look at the malware, one thing sure catches attention. At the end you find the strings “VaQxiNe-steam=1firefox=1cookies=1sandboxie=1zonealarm=1
wireshark=1anubis=1virtualpc=1keyscrambler=1startup=1usb=1task=1″. This hints that the Vaqxination toolkit got used. The construction kit has some features interesting for cybercriminals:

Fig. 2: The Malware Toolkit used to create the worm.

Fig. 2: The Malware Toolkit used to create the worm.

Further Features of the toolkit according to the advertisement of the Toolkit programmer:
- Vista UAC Bypass
- Run-as-admin Bypass
- Fully stealth
- “Legit” Windows Process
- Stronger output encryption
- Only 15 US-$ for the Toolkit.

That string seems to be the configuration that the malware creator used with the Malware Construction Kit. The features seem to work as described, for example the malware is undetectable by the Anubis sandbox system:

Fig. 1: The autorun-worm uses some anti-sandboxing tricks.

Fig. 1: The autorun-worm uses some anti-sandboxing tricks.

The Vaqxination Malware Construction Toolkit currently steals passwords from Firefox and Steam and also logs all keystrokes. Those log files get sent to the email account the creator has chosen before building the malware.

Avira detects the bogus key generator as Worm/Autorun.sxa with VDF version 7.01.06.18. For malware authors, keygens are a simple way to infect user PCs for a longer time already. If an antivirus solution warns from malware within such a keygen, this is nearly always a correct detection – the probability of a false positive detection is extremely low. Also the websites where such keygens usually are offered often try to infect PCs via drive-by-downloads. So be very careful when searching for software like this!

Dirk Knop
Technical Editor

VAQXINATION v6.0