A weather app with a twist

Posted: February 3, 2016 by Pieter Arntz
Last updated: March 30, 2016

Recently, a weather app caught our attention by doing something far worse than predicting rain all the time. It installed all the ingredients for a false Blue Screen Of Death (BSOD) with a number to call for assistance.

WeatherWizard

As the app is bearing the same name as one comic book “super villain” this might have been a warning that there was something up with this one. But offered in a bundle you come across the most useless of apps, as we have told our regular readers many times. So why not a weather app. The app itself does not do much more than give you the weather in a certain US zip code. You type in the ZIP code and it will tell you what you are missing.

The Tech Support Scam

But what it does in the background is more worthy of the super villain reference. A bat file call sc.bat sets two Scheduled Tasks to work.

This seems to indicate they are in it for the long haul as those Scheduled Tasks are set to be executed on every 1st of December after the install date. You don’t see that kind of patience often in this line of business.

So you will understand that I just had to trigger them to find out what they do. SysInfo.exe was unresponsive on my system, but amdave64Win.exe certainly did not disappoint me as it opened a series of command prompts and did a grand finale ending at this:

Calling that number will probably result in someone explaining to you how to use Ctrl-Alt-Del to get to Task-manager and start a new process called explorer.exe to regain control over your machine. After charging you a considerable fee no doubt.

Although we have seen many examples of scare tactics using BSOD screens, [1], [2], [3], [4], using a seemingly harmless weather app and then wait for a considerable period of time is a bold new tactic we haven’t seen before.

Detection and protection

Malwarebytes Anti-Malware detects WeatherWizard as PUP.Optional.WeatherWizard and the components of the Tech Support Scam as Rogue.TechSupportScam. A removal guide with more details can be found at our forums.

Summary

We looked at a simple weather app that turned out to have a twist and install a fake BSOD inviting users to call a Tech Support Scam number.

Pieter Arntz

COMMENTS

Kitlia Steele

They’re using a Windows 7 (and older) BSOD stop/kernel panic screen? This’ll be effective for a fair number of people, but those with Windows 8.1/10 would hopefully question that. I’ve seen similar fake panic screens before, and had clients call me to verify the legitimacy of said screens. This would be a bit more effective if they had different versions of the panic screen based on the OS version.
Pieter Arntz

You are right. After seeing this on my Windows 7 Virtual Machine, I also ran it on a Windows 10 laptop that I have for testing, hoping for a modern BSOD, but the warning is exactly the same. Rule of thumb: the phone number gives it away even if it fits your Operating System.
haha ttpro

That is fantastic. I am unaware that this kind of scam is exist.
Kitlia Steele

A lot of people will fall for it, even with the phone number. Alas I’m not able to teach every end user how to easily spot fake programs/malware, and neither can everyone else. I’ve had a few clients fall for the telephone number scam.
tjpc3 The Redstoner

Weather forcast for today: BSOD with a chance of scam.
Nicholas Staines

Trust near nothing these days when you download them.
Pingback: coolest apps for iphone | Telecharger()
Pingback: Daily Intelligence 2.16.2016 - CSCSS()
Pingback: Free Youtube Downloader PUP is just another Tech Support Scam | Malwarebytes Labs()

RELATED ARTICLES

Cybercrime | Malware

Intentional PE Corruption

April 30, 2012 - Malwarebytes Anti-Malware is under constant attack. 24 hours per day, 7 days per week, 365 days per year. If you read my recent blog post about the development of Malwarebytes Chameleon, you know that we at Malwarebytes have big red ‘X’s on our chests; the bad guys are always out to get us. Malwarebytes Anti-Malware...

CONTINUE READING 14 Comments

Cybercrime | Malware

The Cat-and-Mouse Game: The Story of Malwarebytes Chameleon

April 24, 2012 - The fight against malware is a cat-and-mouse game. It is constant and constantly escalating. They make a move, you counter it, they counter your counter, lather, rinse, repeat. What’s more: malware almost always has the advantage. Our software Malwarebytes Anti-Malware earned a reputation for having a high success rate in combating new in-the-wild malware infections:...

CONTINUE READING 7 Comments

Cybercrime | Hacking

Cybercrime at $12.5 Billion: The Great Underreported Threat

May 7, 2012 - From the outside looking in, it may appear that the press regularly reports stories when a company’s website, database or intellectual property has been hacked, stolen or compromised. The more eye-opening fact of the matter is that the scale and scope of the cybercrime problem is much, much larger and the actual incidences of these...

CONTINUE READING 2 Comments

Cybercrime | Hacking

DDOS, Botnets and Worms…Oh My!

May 14, 2012 - The recent attack on the Serious Organized Crime Agency (SOCA), most likely in response to the 36 data selling sites shut down a few weeks ago, lead to the admission by high ranking SOCA officials that the Ministry of Defense networks need to “beef up their security.” In response to this we would like to...

CONTINUE READING 1 Comment

Cybercrime | Exploits

“The Sky is Falling… Are You at Risk from the Flame Malware?”

June 1, 2012 - The last time I checked with Google News this morning there were over 19,100,000 results for “flame malware”. You may have heard many stories this week about this complex trojan. Here are links to three of my current personal favorite articles on “Flame”. Powerful ‘Flame’ cyberweapon tied to popular Angry Birds game – (Fox News)...

CONTINUE READING 3 Comments

ABOUT THE AUTHOR

Pieter Arntz
Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

CATEGORIES

101 Cybercrime Malwarebytes news PUP Security world

SEARCH LABS

TOP POSTS