If you have read the blog post about Tech Support Scammers using the Winlogon Shell registry value, you know the basics about how this one works. And if you have also read the follow-up, you know that there are a lot of variants to this one. But one infecting you with the other is both weird and awful.
Let us show you what went down. Running an executable file posing as an installer for “VMC Media Player”, we were greeted by these prompts telling us we were going to be logged off—
—and this site opening in our default browser:
Since yolasite.com offers users the option to track visitors to their sub-domain, we suspect this site to be built to keep track of the people that installed the “software”. We have reported this site to Yola and are awaiting a reply.
This sequence of events is programmed in a simple batch file that opens the site and commands the computer to shut down in 5 minutes.
Once the victims log back on, they will be confronted with this fake BSOD screen:
The screen’s text rambles a lot about errors and Trojans and displays the phone-number they would like you to call. It also shows a seemingly unrelated prompt to “get the product key”, which we will discuss later on, and a button labeled “Microsoft Help” that opens the site www[dot]microsoft[dot]aios[dot]us.
Here you can download remote administration tools to get ”support” for a great variety of products. We have seen complaints about the people running this site and its predecessors for at least two years. The site shows a prompt that is a bit unclear about your options.
The listed options are YES to “Start Support Session” or NO to “Browse Support Site”, but the buttons are labeled OK and Cancel. I tested for you, and Cancel gets rid of the pop-up. And if you allow more pop-ups and click OK a few times, you will eventually get the option to download the legitimate remote administration tool TeamViewer.
And the second Tech Support Scam?
Ah yes, let’s circle back to the prompt that promised us a product key.
Click OK on that one, and you will see a download prompt for a file called license_key.exe.
[Update: August 9 Mediafire informed me they had removed the file]
If you run this file, you may get some déjà vu feelings as you will see the “Thank you” prompt to notify that you will be logged off and visit another Yola site, this time it’s thankyou1234[dot]yolasite[dot]com using the URL shortener lnk.direct. Statistics of the URL shortener showed it was created 06/29/2016 and had 1143 visitors over the past month.
The relatively good news about this repetition is that it will get rid of the fake BSOD for you because it alters the Winlogon Shell registry value yet again, only to replace it with another Tech Support Scammers lock screen however.
This time one that looks a lot like some of the earlier ones. A phone number and a form requesting “a product key”:
Only this time it looks like you are completely stuck without any option. The part of the form that you would expect to fill out and the “Cancel” button are both unresponsive, so most people will end up having to use Ctrl-Alt-Del to get out of this. The name of the running processes for both rounds is fatalerror(.exe).
We have dubbed the second one “Product Key” as that is the name of the folder it creates in Program Files (x86). But for the benefit of the Tech Support Scammers there is an “Easter egg” hidden in this screen. If you click anywhere in the 5th line (the one starting with the words “PRODUCT KEY”) you will go to this screen-
-where there is a choice of programs available that the Scammers can use to help you out of this predicament. Against a price of course.
Md5 of the VMC Media Player Setup.exe 47bb0a01ae8820b8664eda660aac312f
Md5 of the license_key.exe dff38f5dfdeff1e73debef355c4ac13e
Both are detected by Malwarebytes Anti-Malware. The VMC Media Player Setup.exe as Rogue.TechSupportScam.
And the license_key.exe as Ransom.LockScreen.
The domain aios[dot]us that hosts several Tech Support Scammer sites is blocked for users of Malwarebytes Anti-Malware Premium that have the Malicious Website Protection enabled.
In what must be an attempt to drive victims crazy enough to call one of their numbers, Tech Support Scammers replace one logon lock-screen with another.
Don’t forget to save yourself the hassle and get protected.