Recently, a weather app caught our attention by doing something far worse than predicting rain all the time. It installed all the ingredients for a false Blue Screen Of Death (BSOD) with a number to call for assistance.
WeatherWizard
As the app is bearing the same name as one comic book “super villain” this might have been a warning that there was something up with this one. But offered in a bundle you come across the most useless of apps, as we have told our regular readers many times. So why not a weather app. The app itself does not do much more than give you the weather in a certain US zip code. You type in the ZIP code and it will tell you what you are missing.
The Tech Support Scam
But what it does in the background is more worthy of the super villain reference. A bat file call sc.bat sets two Scheduled Tasks to work.
This seems to indicate they are in it for the long haul as those Scheduled Tasks are set to be executed on every 1st of December after the install date. You don’t see that kind of patience often in this line of business.
So you will understand that I just had to trigger them to find out what they do. SysInfo.exe was unresponsive on my system, but amdave64Win.exe certainly did not disappoint me as it opened a series of command prompts and did a grand finale ending at this:
Calling that number will probably result in someone explaining to you how to use Ctrl-Alt-Del to get to Task-manager and start a new process called explorer.exe to regain control over your machine. After charging you a considerable fee no doubt.
Although we have seen many examples of scare tactics using BSOD screens, [1], [2], [3], [4], using a seemingly harmless weather app and then wait for a considerable period of time is a bold new tactic we haven’t seen before.
Detection and protection
Malwarebytes Anti-Malware detects WeatherWizard as PUP.Optional.WeatherWizard and the components of the Tech Support Scam as Rogue.TechSupportScam. A removal guide with more details can be found at our forums.
Summary
We looked at a simple weather app that turned out to have a twist and install a fake BSOD inviting users to call a Tech Support Scam number.
Pieter Arntz
They’re using a Windows 7 (and older) BSOD stop/kernel panic screen? This’ll be effective for a fair number of people, but those with Windows 8.1/10 would hopefully question that. I’ve seen similar fake panic screens before, and had clients call me to verify the legitimacy of said screens. This would be a bit more effective if they had different versions of the panic screen based on the OS version.
You are right. After seeing this on my Windows 7 Virtual Machine, I also ran it on a Windows 10 laptop that I have for testing, hoping for a modern BSOD, but the warning is exactly the same. Rule of thumb: the phone number gives it away even if it fits your Operating System.
That is fantastic. I am unaware that this kind of scam is exist.
A lot of people will fall for it, even with the phone number. Alas I’m not able to teach every end user how to easily spot fake programs/malware, and neither can everyone else. I’ve had a few clients fall for the telephone number scam.