Sunday, September 07, 2008

PrivateContent and fake Google Toolbar BHO

The gang behind rogue security software has taken new approach to peddle malware. Instead of fake codecs, now they are offering some kind of "Access Code Generator" called PrivateContent, using which one can supposedly access online videos. Obviously, this access code generator is a fake!

PrivateContent.exe is hosted at and is not very well detected as of now. Here's the VirusTotal scan result (complete scan results can be found here):

File PrivateContent.exe
AntiVir - TR/Drop.Agent.vsu
Prevx1 V2 - Malicious Software
Webwasher-Gateway - Trojan.Drop.Agent.vsu

PrivateContent.exe drops a DLL named googletoolbar1.dll in %ProgramFiles%\Google\ directory. This DLL is registered as an Internet Explorer BHO. HijackThis entry for this BHO is as shown below:

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4D91-8333-CF10577473F7} - C:\Program Files\Google\googletoolbar1.dll

Surprisingly, this fake googletoolbar1.dll is not detected by any of the AVs at VirusTotal (scan results can be found here).

Googletoolbar1.dll generates popups/ads and tries to install rogue security software. Check out below screenshots which show fake googletoolbar1.dll in action!


Anonymous Anonymous said...

Cool! Thanks for the info, mate! :)

12:25 AM  

Post a Comment

<< Home