First variations of this kind of malware appeared in October 2010 and it has already passed through various names: “System Defragmenter” -> “Scan Disk” -> “Check Disk” -> “Win HDD”.
The means of propagation of Scareware are versatile: One possible way of infection could be a drive-by download from a malicious site. The program could also be spread by the help of a botnet (as a file downloaded by the zombie PC). Another transmission can be via email attachment.
So, the most recent variety is called “Win HDD”. The G Data security experts had a closer look at this fake system tool, captured a video of the faked “System Scan” and uploaded it to YouTube.
As you can see in this video, the rogue system optimizer’s behavior is extremely similar to FakeAV behavior: The user is tricked with fake threats and system alerts and lured to buy the actually useless software. Obviously, all of the alleged errors shown are fake!
The scamsters even faked the Microsoft Internet Explorer payment window which you can see at the end of the video. The upper part, containing the green address bar, a lock icon and the HTTPS address – normally signals for a secure and encrypted connection – are a fake as well. The address shown does not exist! The real address, which actually opens the window you can see below the address bar, is a totally different one and, besides that, also only functions as a forward to the actual payment target address.
This final address was only registered in September 2010 with a SSL certificate from Comodo. We suspect it is a fully functional “Free 90 day certificate”. The certificate was issued on 28 September 2010 and is valid until 28 December 2010. This is another indication for the shadiness of “Win HDD”.
Registered version of “Win HDD”
The G Data security experts revealed that the required registration number to activate the program is hard coded within the program’s code! So let’s have a look at the fake optimization process after registering this fake system tool on YouTube.
The menus “Computer hard drives”, “RAM Memory” and “System health” all lead to a fake “scan” and the menus “Settings & Options”, “Performance Services” and “Proactive Data Protection” bring the user to one and the same options and settings window. None of the information shown here is usable or has actually any connection to the user’s system – it is all generic. But, apart from the fact that 3 or 4 windows are connected to one single function, the GUI of this Registered “Win HDD” is impressive and makes it even harder for inexperienced users to realize the scam.
Another curiosity about “Win HDD” is the so called Extended Download Service (EDS). The option to buy EDS was ticked in the payment window, for an extra 4,90€. The service allows you to download “Win HDD” again after you deleted it from your system – e.g. in case you had to format your HDD or similar. The personalized download link leads to a kind of captcha registration:
It doesn’t matter what digit you type into the second form – The server will accept it anyway. You proved you’re human ;-)
G Data generation 2011 products identify all of the mentioned rogue system optimizers! And we can only advise you not rely blindly on dubious system tools!
Removal instructions for “Win HDD”
- Right click on the shortcut of 'Win HDD' on your desktop and choose Properties
- In the properties window you can find the randomly generated name (98f82f.exe in the example) of the “Win HDD” executable in the field Target
- Open the Windows task manager (Ctrl+Alt+Del) and navigate to the Processes tab
- If you find a process with the name of the executable in the list, click on it to mark it and then click End Process
- Close the task manager
- Go back to the Properties window of the shortcut and click on Find Target. An Explorer window will open automatically
- Delete the executable file (it should show the same icon as the desktop shortcut)
Close the Explorer window - In the Windows task bar, click on Start / the Windows symbol and run. Type 'regedit' in the Open field and hit OK
- Navigate to 'My Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run'
- Delete the registry value in the right tab pointing to the “Win HDD” executable
- Close the registry editor window
- Delete the “Win HDD” desktop shortcut and the “Win HDD” folder in All Programs