Fake System Optimizer with special messages

When analyzing malware, we often look for strings within the malware samples. Those give some interesting insights about the malware, its creators or the targets, for example. While poking into a fake system optimizer, after some decryption layers we also found some interesting strings:

0.System Tool…
1.2011…
2.somedomain.com…
3./install.php?affid=%s…
4.http://%s/buy.php?affid=%s…
5.iexplore.exe…
6.SOFTWAREMicrosoftWindowsCurrentVersionRunOnce…
7.SOFTWAREMicrosoftWindowsCurrentVersionUninstall…
8.This copy of System Tool is unregistered…
9.Yes…
10.No…
11.Windows has detected spyware infection!..Click this message to install the last update of Windows security software……
12.Warning: Your computer is infected…
13.Applic ation cannot be executed. The file %s is infected…Please activate your antivir us software…
14.ThisIsPayFormClass…
15.Attention! System detected a potential hazard (TrojanSPM/LX) on your computer..that may infect executable files. Your private information and PC safety is at risk…To get rid of unwanted spyware and keep your computer safe you need to update your current security software…Click Yes to download official intrusion detection system (IDS software)…
16.Security Monitor: WARNING!…
17.http://%s…
18.Press OK to clean your PC right now…
19.WARNING!…
20.Enter Serial…
21.?affid=…
22.2??.2??.1??.??…
23.http://?????????????.com/…
24./dbg.php?affid=%s&h=%s…
25.Mozilla/4.0 (compatible; MS IE 7.0; Windows NT 5.1; GTB0.0; .NET CLR 1.1.4322)…
26.Content-Type: applicatio n/x-www-form-urlencoded…
27.http://????????????.biz/…
34.??.1??.5?.2??…
35.c:mscheck.dbg…
37.Don’t stop me! I give work and money for you!…
38.%d infections cleaned. Reboot required….
39.ThIsIsReGiStErEdMuTeX…
40.qdbkprgy159eho…
41.Don’t stop me! I need some money!…
900.G41w1rkF1rm4A5Du…
999.a.

Especially funny is the string “Don’t stop me! I need some money!” which seems to get used as mutex. Also you can see some affiliate IDs which indicate that someone uses a pay-per-install-system like we reported about earlier.

The fake system optimizer claims that it needs to defrag the harddisk and that there are huge areas unreadable and the access times are greater than 500ms. This is pure BS, of course. But for less computer-savvy people this may sound compelling.

We detect this malware as TR/Crypt.ZPACK.Gen2 and constantly add new detections for new variants to improve the security of Avira users.

Moritz Kroll
Engine R&D

Dirk Knop
Technical Editor