Windows Emergency System is another rogue security software that aims to scan the system to find errors, instead it shows fake errors, stating it is needed to buy the full version of the software to fix the non-existent errors.
Screenshot of the installer:
Payment page:
Network traffic:
GET /soft-usage/favicon.ico?0=1200&1=XXX&2=i&3=85&4=2600&5=5&6=1&7=62900.2096&8=1040 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: soft-store-inc.com |
Whois:
Domain Name: SOFTSTORE-INC.COM Registrar: DOMAINCONTEXT, INC. Whois Server: whois.domaincontext.com Referral URL: http://www.domaincontext.com Name Server: NS1.REGWAY.COM Name Server: NS2.REGWAY.COM Status: clientTransferProhibited Updated Date: 05-mar-2011 Creation Date: 05-mar-2011 Expiration Date: 05-mar-2012 |
Network traffic:
GET /payment_forms/default/css/pay.css HTTP/1.1 Referer: http://softstore-inc.com/85/40/form/ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: softstore-inc.com |
Whois:
Domain Name: SOFT-STORE-INC.COM Registrar: DOMAINCONTEXT, INC. Whois Server: whois.domaincontext.com Referral URL: http://www.domaincontext.com Name Server: NS1.REGWAY.COM Name Server: NS2.REGWAY.COM Status: clientTransferProhibited Updated Date: 05-mar-2011 Creation Date: 05-mar-2011 Expiration Date: 05-mar-2012 |
Malicious domains:
http://www.urlvoid.com/scan/soft-store-inc.com
http://www.urlvoid.com/scan/softstore-inc.com
Other suspicious domains:
http://www.urlvoid.com/scan/getsomepornhere.net
http://www.urlvoid.com/scan/softstorecorp2012.com
http://www.urlvoid.com/scan/softstorecorp2011.com
The malware that installed this rogue software, created few files in C:\ folder:
C:\kill.txt C:\avenger.txt C:\cleanup.exe C:\TITI.exe |
![Content of C:\](http://blog.urlvoid.com/wp-content/uploads/c-content2.png "Content of C:\")
The malware used a legit security tool named “Avenger” to remove Antiviruses:
