New Rogue Software: Windows Emergency System

Windows Emergency System is another rogue security software that aims to scan the system to find errors, instead it shows fake errors, stating it is needed to buy the full version of the software to fix the non-existent errors.

Windows Emergency System GUI

Screenshot of the installer:

Windows Emergency System Installer

Payment page:

soft-store-inc-com

Network traffic:

GET /soft-usage/favicon.ico?0=1200&1=XXX&2=i&3=85&4=2600&5=5&6=1&7=62900.2096&8=1040 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: soft-store-inc.com

Whois:

Domain Name:	SOFTSTORE-INC.COM
Registrar:	DOMAINCONTEXT, INC.
Whois Server:	whois.domaincontext.com
Referral URL:	http://www.domaincontext.com
Name Server:	NS1.REGWAY.COM
Name Server:	NS2.REGWAY.COM
Status:	clientTransferProhibited
Updated Date:	05-mar-2011
Creation Date:	05-mar-2011
Expiration Date:	05-mar-2012

Network traffic:

GET /payment_forms/default/css/pay.css HTTP/1.1
Referer: http://softstore-inc.com/85/40/form/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: softstore-inc.com

Whois:

Domain Name:	SOFT-STORE-INC.COM
Registrar:	DOMAINCONTEXT, INC.
Whois Server:	whois.domaincontext.com
Referral URL:	http://www.domaincontext.com
Name Server:	NS1.REGWAY.COM
Name Server:	NS2.REGWAY.COM
Status:	clientTransferProhibited
Updated Date:	05-mar-2011
Creation Date:	05-mar-2011
Expiration Date:	05-mar-2012

Malicious domains:

http://www.urlvoid.com/scan/soft-store-inc.com
http://www.urlvoid.com/scan/softstore-inc.com

Other suspicious domains:

http://www.urlvoid.com/scan/getsomepornhere.net
http://www.urlvoid.com/scan/softstorecorp2012.com
http://www.urlvoid.com/scan/softstorecorp2011.com

The malware that installed this rogue software, created few files in C:\ folder:

C:\kill.txt
C:\avenger.txt
C:\cleanup.exe
C:\TITI.exe

Content of C:\

The malware used a legit security tool named “Avenger” to remove Antiviruses:

kill.txt

avenger.txt