My Fun for the Day - Fake BSOD

gadgetfixup · Aug 5, 2015

Some of you have probably seen this critter but it's the first time in our shop. Customer purchased a new computer system for her Son that "didn't do anything" and was getting what he thought was a BSOD. I documented this one a bit in case you guys see it.

The fake BSOD that pins the mouse to top left corner. You can't move the mouse anywhere and the overlay stays on top of all apps.

First tech hit it with everything. You name the scan and he did it. Boots system and within 5 mins this pops up. I even grabbed my trusty FRST and looked at last 30 days. Nothing. Well the bugger alters the folder and file dates so it looks like it's been there longer. The kid downloaded this on 7/29 and you can see the dates here.

Bitraider compressed file was the download. That windows.exe file is the bug. You can see it's dated 6/13/2015. Uploaded it to VT and only 2 of 53 anti-viruses discovered it packed. Even Kaspersky and ESET missed it.

There she is in process explorer. To kill it you have to use your keyboard as the mouse is dead. Arrow down and ALT + E to kill it.

Here the bugger is in autoruns. Obviously I already removed the file from the folder but that shows you where it was launching from.

And here is the jewel if you want to play with it.

https://www.dropbox.com/s/xaf5ez6g8uyl6iy/windows.zip

This one will run you around in circles a bit as no system scans will pick it up and clean it.

Markverhyden · Aug 5, 2015

Interesting little critter.

TechLady · Aug 5, 2015

Wow. Glad you posted this, thanks.

TechLady · Aug 5, 2015

Like Microsoft would ever have the class for serif font BSOD. Ha.

Markverhyden · Aug 5, 2015

I've always had fun with BSD screen savers in OS X.

katz · Aug 5, 2015

Good find...and look at all that Spotify resource hogging stuff...

Moltuae · Aug 5, 2015

TechLady said:
Like Microsoft would ever have the class for serif font BSOD. Ha.

lol That's what I thought. And the text layout is all wrong.
Seems odd to go to all the effort of writing such malware to then make a shoddy attempt at reproducing the visuals when the authenticity of those is key to fooling the most victims.

I wonder what the point of this malware is? Does it install other processes that make its creators money somehow or is it merely a prank? I mean, displaying a BSOD certainly isn't the best way of ensuring your code remains on your victims PC if your plan is to send spam or capture passwords, etc.

gadgetfixup · Aug 5, 2015

I think the intent is to get you to call that toll-free "Windows helpline" phone number they have listed. That was the first thing that caught my eye, what BSOD has a phone number? LOL.

Moltuae · Aug 5, 2015

inbargains said:
I think the intent is to get you to call that toll-free "Windows helpline" phone number they have listed. That was the first thing that caught my eye, what BSOD has a phone number? LOL.

Ah, yes, that'd make sense

I missed that.

ian-oz · Nov 4, 2015

got to love interesting malware like that. Thanks for sharing.

roy simpson · Mar 12, 2019

i ran into this a while back, friend wanted the computer wiped but i got it off of it and showed him it was running like it should. im glad someone put a write-up to remove it easier than what i had to do.

Porthos · Mar 12, 2019

roy simpson said:
i ran into this a while back, friend wanted the computer wiped but i got it off of it and showed him it was running like it should. im glad someone put a write-up to remove it easier than what i had to do.

You are digging up OLD threads and that is frowned upon here and on most forums.

roy simpson · Mar 12, 2019

did not realize that, my mistake...

mraikes · Mar 12, 2019

Porthos said:
You are digging up OLD threads and that is frowned upon here and on most forums.

Except that Roy apparently encountered this little bugger in the wild not so long ago. So it's still out there (and interesting) even after all this time.

I think in this case it's good he resurrected the thread rather than starting a new one.

Thanks for sharing @roy simpson

Diggs · Mar 13, 2019

I just got a call on this.....

nlinecomputers · Mar 14, 2019

Has anyone submitted this to av companies?

Diggs · Mar 14, 2019

nlinecomputers said:
Has anyone submitted this to av companies?

Let me see what I can do after I get the machine in on the bench.

MichaelBits · Mar 14, 2019

Little off topic...

I came into work one day and my main office desktop was sitting on a bluescreen.
I thought that to be odd, went ahead and rebooted it and it worked fine.

Was sitting tinkering (not on the desktop) in my office and suddenly the bluescreen popped back up, yet wasn't a crash...
Realized my boss put the bluescreen screensaver on my desktop! Funny guy...

So put the "12-Ants" program on his! https://www.softwareok.com/?seite=Microsoft/12-Ants
Drove him nuts, ants kept attacking his cursor. For fun, I did it to the receptionist desktop as well.

My Fun for the Day - Fake BSOD

gadgetfixup

Well-Known Member

Markverhyden

Well-Known Member

TechLady

Well-Known Member

TechLady

Well-Known Member

Markverhyden

Well-Known Member

katz

Well-Known Member

Moltuae

Rest In Peace

gadgetfixup

Well-Known Member

Moltuae

Rest In Peace

ian-oz

New Member

roy simpson

New Member

Porthos

Well-Known Member

roy simpson

New Member

mraikes

Well-Known Member

Diggs

Well-Known Member

nlinecomputers

Well-Known Member

Diggs

Well-Known Member

MichaelBits

Well-Known Member

Similar threads