If you have read the blog post about Tech Support Scammers using the Winlogon Shell registry value, you know the basics about how this one works. And if you have also read the follow-up, you know that there are a lot of variants to this one. But one infecting you with the other is both weird and awful.

Let us show you what went down. Running an executable file posing as an installer for “VMC Media Player”, we were greeted by these prompts telling us we were going to be logged off—

warning1

warning3

—and this site opening in our default browser:

warning2

Since yolasite.com offers users the option to track visitors to their sub-domain, we suspect this site to be built to keep track of the people that installed the “software”. We have reported this site to Yola and are awaiting a reply.

This sequence of events is programmed in a simple batch file that opens the site and commands the computer to shut down in 5 minutes.

contentbat

Once the victims log back on, they will be confronted with this fake BSOD screen:

main

The screen’s text rambles a lot about errors and Trojans and displays the phone-number they would like you to call. It also shows a seemingly unrelated prompt to “get the product key”, which we will discuss later on, and a button labeled “Microsoft Help” that opens the site www[dot]microsoft[dot]aios[dot]us.

site

Here you can download remote administration tools to get ”support” for a great variety of products. We have seen complaints about the people running this site and its predecessors for at least two years. The site shows a prompt that is a bit unclear about your options.

choices

The listed options are YES to “Start Support Session” or NO to “Browse Support Site”, but the buttons are labeled OK and Cancel. I tested for you, and Cancel gets rid of the pop-up. And if you allow more pop-ups and click OK a few times, you will eventually get the option to download the legitimate remote administration tool TeamViewer.

And the second Tech Support Scam?

Ah yes, let’s circle back to the prompt that promised us a product key.

getthenext

Click OK on that one, and you will see a download prompt for a file called license_key.exe.

downloadfromrun

This file has been reported to Mediafire

[Update: August 9 Mediafire informed me they had removed the file]

If you run this file, you may get some déjà vu feelings as you will see the “Thank you” prompt to notify that you will be logged off and visit another Yola site, this time it’s thankyou1234[dot]yolasite[dot]com using the URL shortener lnk.direct. Statistics of the URL shortener showed it was created 06/29/2016 and had 1143 visitors over the past month.

visitors

The relatively good news about this repetition is that it will get rid of the fake BSOD for you because it alters the Winlogon Shell registry value yet again, only to replace it with another Tech Support Scammers lock screen however.

This time one that looks a lot like some of the earlier ones. A phone number and a form requesting “a product key”:

main

Only this time it looks like you are completely stuck without any option. The part of the form that you would expect to fill out and the “Cancel” button are both unresponsive, so most people will end up having to use Ctrl-Alt-Del to get out of this. The name of the running processes for both rounds is fatalerror(.exe).

We have dubbed the second one “Product Key” as that is the name of the folder it creates in Program Files (x86). But for the benefit of the Tech Support Scammers there is an “Easter egg” hidden in this screen. If you click anywhere in the 5th line (the one starting with the words “PRODUCT KEY”) you will go to this screen-

theretheyare

-where there is a choice of programs available that the Scammers can use to help you out of this predicament. Against a price of course.

File characteristics

Md5 of the VMC Media Player Setup.exe 47bb0a01ae8820b8664eda660aac312f

Md5 of the license_key.exe dff38f5dfdeff1e73debef355c4ac13e

Both are detected by Malwarebytes Anti-Malware. The VMC Media Player Setup.exe as Rogue.TechSupportScam.

protection1

And the license_key.exe as Ransom.LockScreen.

protection1

Removal guide for the VMC Media Player Tech Support Scam can be found on our forums: VMC Media Player TSS and Product Key.

The domain aios[dot]us that hosts several Tech Support Scammer sites is blocked for users of Malwarebytes Anti-Malware Premium that have the Malicious Website Protection enabled.

protection2

Summary

In what must be an attempt to drive victims crazy enough to call one of their numbers, Tech Support Scammers replace one logon lock-screen with another.

Don’t forget to save yourself the hassle and get protected.

Pieter Arntz