In the last days we received a new kind of scareware in our Virus Labs. This Trojan family called ThinkPoint is spreading very quick on the Internet.
After the malware is executed, it creates a copy of itself with the name ‘hotfix.exe’ in the folder ‘C:\Documents and Settings\User\Application Data\hotfix.exe’. After the copy of itself is created, the shell value of the Winlogon registry key is changed. It deletes the entry for explorer.exe and adds a new entry for the newly created copy.
The scareware infection stays silent until the user tries to execute another program. Due to the fact that the registry key is changed, ThinkPoint starts for each executed program and shows a dialog.
ThinkPoint imitates the looks of legitimate software while using “Microsoft Security Essentials” as window title. To see what the scareware is doing, we choose the button “Apply actions”.
After that, the fake “Microsoft Security Essentials” offers us a trial version of ThinkPoint to solve the problem. As we like to solve our problem, we hit the “OK” button – and the computer is rebooted.
After the restart we are greeted with a new screen:
The user cannot interact with the computer anymore. The only action available is to continue with “Safe Startup”. The fake antivirus scanner is starting and shows us fake detections on legitimate software:
The user is now offered two options by the ThinkPoint, one is to “Continue unprotected”, and when pressing the button, nothing will happen. The cyber criminals want to sell their software so only “Install the full version with the required modules” will work.
We are now directed to a page were we should enter our credit card number, the billing address and were we can choose what we would like to purchase. They offer different license types starting from 1-year up to a life-time license and also some additional premium support.
Avira detects the ThinkPoint scareware as TR/FakeAV and the malicious downloads as TR/FraudLoad.
Carlos Valero Llabata