Author’s Note: We at Malwarebytes continue to do our part in educating our product users and constant blog readers about day-to-day online threats and how they can avoid falling prey to them. “PUP Friday”, our latest attempt at getting users acquainted with files they may need to watch out for in the Wild Web, offers an in-depth look at some interesting and quite notable potentially unwanted programs (PUPs). Expect to see this type of content pushed out twice a month at the end of a work week.
Tech Support scammers are notably looking for new methods to lure in new victims.
A bit like the WeatherWizard we looked at last week, we now want to show you the works of a PUP called “Free Youtube Downloader”. It was named that way by its’ authors and not because it is actually capable of downloading any YouTube videos.
Before we accuse any innocent bystanders, I’d like to point out that there are many software packages out there offered by that name and not all of them are malicious.
Free Youtube Downloader
The installer that we will discuss here puts these icons on your desktop and in your taskbar --Box.exe. Depending on which version you have it drops that file in its own folder –
%Windir%\Free Youtube Downloader\Free Youtube Downloaderbut it has also been known to create another folder for it –
%Windir%\Book Source*Note : %Windir% is an environmental variable that stands for the location of your Windows folder. In most cases that will be C:\Windows.
Tech Support Scam
Once the file Free YouTube Downloader.exe is loaded in memory it will spawn one process with the same name which in turn will create a box.exe child process every few minutes.
Should you be curious enough to check out one of the links in that form (I’m guilty of that) your default browser will open a tab like this one:GoToAssist is a legitimate application used for Remote Support. It gives the “Technician” full remote control over your computer, which in this case is NOT recommended.
If you click the Activate button in the “Activate Windows now” form you will be presented with another prompt telling you to call their number.
The installer is detected by Malwarebytes Anti-Malware as Rogue.TechSupportScam.Drop and the Box.exe file as Rogue.TechSupportScam.forums.
We looked at another Tech Support Scam. This one uses a fake Windows Activation form to lure the user into calling their number.
Special thanks to @thisisudax for his help with this one.