Author’s Note: We at Malwarebytes continue to do our part in educating our product users and constant blog readers about day-to-day online threats and how they can avoid falling prey to them. “PUP Friday”, our latest attempt at getting users acquainted with files they may need to watch out for in the Wild Web, offers an in-depth look at some interesting and quite notable potentially unwanted programs (PUPs). Expect to see this type of content pushed out twice a month at the end of a work week.


Tech Support scammers are notably looking for new methods to lure in new victims.

A bit like the WeatherWizard we looked at last week, we now want to show you the works of a PUP called “Free Youtube Downloader”. It was named that way by its’ authors and not because it is actually capable of downloading any YouTube videos.

Before we accuse any innocent bystanders, I’d like to point out that there are many software packages out there offered by that name and not all of them are malicious.

Free Youtube Downloader

The installer that we will discuss here puts these icons on your desktop and in your taskbar —

icons

and it creates an entry in your list of installed programs that looks like this:

warning4

But without proper protection you will soon enough find out that you have downloaded and installed the wrong one. What this one does is it contacts the domain youtubedownloadernew[dot]com and downloads a file called Box.exe. Depending on which version you have it drops that file in its own folder –

%Windir%\Free Youtube Downloader\Free Youtube Downloader

but it has also been known to create another folder for it –

%Windir%\Book Source

*Note : %Windir%  is an environmental variable that stands for the location of your Windows folder. In most cases that will be C:\Windows.

Tech Support Scam

Once the file Free YouTube Downloader.exe is loaded in memory it will spawn one process with the same name which in turn will create a box.exe child process every few minutes.

children

And for every Box.exe that is running you will be shown one fake Windows Activation prompt.

TSS

The only way to close these is to kill the process that controls them. Almost needless to say that your system will become quite unresponsive once you have some of these.

Should you be curious enough to check out one of the links in that form (I’m guilty of that) your default browser will open a tab like this one:

webform

GoToAssist is a legitimate application used for Remote Support. It gives the “Technician” full remote control over your computer, which in this case is NOT recommended.

If you click the Activate button in the “Activate Windows now” form you will be presented with another prompt telling you to call their number.

webform2

Detection, Protection and Removal

The installer is detected by Malwarebytes Anti-Malware as Rogue.TechSupportScam.Drop and the Box.exe file as Rogue.TechSupportScam.

protection2 protection3

A full removal guide can be found on our forums.

Summary

We looked at another Tech Support Scam. This one uses a fake Windows Activation form to lure the user into calling their number.

Special thanks to @thisisudax for his help with this one.

 Pieter Arntz