A weather app with a twist

A weather app with a twist

Recently, a weather app caught our attention by doing something far worse than predicting rain all the time. It installed all the ingredients for a false Blue Screen Of Death (BSOD) with a number to call for assistance.

WeatherWizard

As the app is bearing the same name as one comic book “super villain” this might have been a warning that there was something up with this one. But offered in a bundle you come across the most useless of apps, as we have told our regular readers many times. So why not a weather app. The app itself does not do much more than give you the weather in a certain US zip code. You type in the ZIP code and it will tell you what you are missing.

WeatherLaJolla

The Tech Support Scam

But what it does in the background is more worthy of the super villain reference. A bat file call sc.bat sets two Scheduled Tasks to work.

batfile

This seems to indicate they are in it for the long haul as those Scheduled Tasks are set to be executed on every 1st of December after the install date. You don’t see that kind of patience often in this line of business.

So you will understand that I just had to trigger them to find out what they do. SysInfo.exe was unresponsive on my system, but amdave64Win.exe certainly did not disappoint me as it opened a series of command prompts and did a grand finale ending at this:

capture_003_01022016_100018

Calling that number will probably result in someone explaining to you how to use Ctrl-Alt-Del to get to Task-manager and start a new process called explorer.exe to regain control over your machine. After charging you a considerable fee no doubt.

Although we have seen many examples of scare tactics using BSOD screens, [1], [2], [3], [4], using a seemingly harmless weather app and then wait for a considerable period of time is a bold new tactic we haven’t seen before.

Detection and protection

Malwarebytes Anti-Malware detects WeatherWizard as PUP.Optional.WeatherWizard and the components of the Tech Support Scam as Rogue.TechSupportScam. A removal guide with more details can be found at our forums.

Summary

We looked at a simple weather app that turned out to have a twist and install a fake BSOD inviting users to call a Tech Support Scam number.

Pieter Arntz

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.