Welcome to the Computer Security Wiki! You can help us by expanding stubs, create new articles and improve current articles.
You can also help us by logging-in or creating an account!

NavaShield

From Malware Wiki
Jump to: navigation, search
NavaShield
Navashield gui.jpg
TypeRogue Antivirus, Nagware
CreatorNava Labs
DateJanuary 30th, 2010
OriginBritish Virgin Islands(?)
Programming LanguageMSVC 2008/10
PlatformMicrosoft Windows
File TypeWin32 PE executable (.EXE)
Alias(es)Riskware/NavaShield (Fortinet), x86RunHoudini (internal name)
MD51F13396FA59D38EBE76CCC587CCB11BB
SHA-1867adb3076c0d335b9bfa64594ef37a7e2c951ff
SHA-25683ecb875f87150a88f4c3d496eb3cb5388cd8bafdff4879884ececdbd1896e1d
SSDEEP196608:CtbTP1ErBwMQjd1YTHdmpCP2PVgP/acIE/xQ0zyZejVk+YzbRdTZ:C1E1+dYx6OP9hdyZwV4zd
Authentihashf0643e0bc8d5c884fa8216126fa7f91527db98950c72066cf1d4527618788fcc
IMPhashc9adc83b45e363b21cd6b11b5da0501f
This box: view  talk  edit

NavaShield is a rogue antivirus program on Microsoft Windows that tricks unsuspecting users into downloading it when it is actually malware and nagware. The program first started in 2007 as a project, but it was initially discovered in 2010 when it advertised itself with the slogan "award-winning computer protection". It was popularized by the YouTubers danooct1 and rogueamp. It also makes some grammatical errors in its alerts and such, which is a clue that it is a rogue antivirus.

'The logo appears to be a blue shield with a chrome-like color around it with an 'N' centered in it.

Its aggressive behavior in simulating an infection has made it notorious, and somewhat of a meme in the computer security community.

As of 2013, its servers have been permanently shut down, and any registration key entered in its download window is useless.<ref>http://www.youtube.com/watch?v=AzBeBGbGxQ4</ref> NavaShield was possibly linked to WarezRaid, a forum specializing in pirated content and media which was shut down in 2011, as the NavaShield website shared the same host. This might explain the software's more bizarre (if not satirical) properties.

Payload

It had its own website, Navashield (dot) com. NavaShield's site looked very user-friendly like any antivirus website, so normal Windows users may have thought it was legitimate. The design of the software made it seem more reputable

The rogue does not do anything until one week has passed when it begins nagging the user to buy the "full" version by displaying an ad encouraging the user to buy the program, and playing a clock ticking sound in the background. After the rogue has been on the system for several more weeks, it attempts to simulate an actual malware infection to get the user to purchase the fake program, by making the sound of a group of men laughing over and over again. If the user has one of Microsoft's Text-To-Speech voices installed (usually Microsoft Sam), Navashield will make the TTS Voice talk at the user or say nonsensical things, such as "I am a Robot from outer space.", "I love you!", or even swear at the user. It also redirects the user to adult content sites if the user goes online. It may also go to Match (dot) com, or Casino (dot) com. It will also open Mail and show a non-existent email address to send to: "beb@sexsex". The icon tray bar will also start changing in size. Finally, another laugh that is higher in pitch starts to play. It also blocks Task Manager to stop the user from cancelling the infection.

Another variant of Navashield tries to fake a malware infection by displaying an inescapable message box that says "Disk drive C:\ is being deleted" and slowly grows while making the Internet Explorer information bar sound repeatedly. Eventually it consumes the entire screen, and afterwards it flashes to the user's desktop wallpaper, but with no icons, taskbar, etc. Some minutes after rebooting, the screen goes back to normal.

Removal

  • Download and scan with Malwarebytes to remove rogue antiviruses).
  • Remove some extra remaining files that may not have been detected.
  • Delete the malicious registry entries left by the malware.
  • Should there be any more issues, download another virus cleaner like HitmanPro and scan the files. If there are any suspicious files, download VirusTotal Uploader and scan said file with it.

Media













References

<references />