The Strange Case of ‘Mr. Spilberg’
Friday May 23, 2008 at 10:27 am CST
Posted by Paolo Palumbo
When analyzing malware, it is not uncommon to stumble across interesting situations. Recently, I have been analyzing a variant of a FakeAlert BHO. This threat isn’t notable; it displays “alert” pop-ups when correctly installed, and prompts users to download a fake anti-spyware product.
However, when analyzing it, I noticed that this BHO was trying to access a file named “f***youspilberg.bat” located in the root folder of my research machine. Of course, with such a name, I immediately got interested and started to dig deeper to see what was going on.
After removing the inevitable compression layer, I was quickly able to locate the file access operation inside the FakeAlert’s code; specifically, it resides inside the DllRegisterServer export function, which is used to initialize BHOs.
After analyzing the code, I saw that the routine which contains the file access operation will perform checks on the existence of this file and the file creation date, returning TRUE if the checks are OK or FALSE otherwise. This again increased my curiosity. 
So, I resumed analyzing the code that follows the invocation of the routine which performs the check on the f***youspilberg.bat file:
We can see now that if the checks on the file are succesful, the next block of code will be bypassed. What is that block of code? Why do we want to bypass it? After looking further, I found that block just checks for the presence of VMWare. If VMWare is detected, then no other operation occurs and the FakeAlert silently exits.
Glueing this all together, our code becomes:
Now we have all the pieces. If the f***youspilberg.bat file is found, then the anti-VMware check is skipped. Otherwise, we need to verify that we are not running inside a VMware box. The VMware check is performed to prevent analysis in a safe environment, but why bypass such a check if the f***youspilberg.bat is present?
We can only guess. It is probable that the authors of this FakeAlert needed to test their creation, and they have probably decided to use VMware for their testing. By placing f***youspilberg.bat in the root of their VMware image, they could do the testing without being caught by their protection mechanism.
But the real question is, What did “Mr. Spilberg” do to the authors of this malware to arouse such antagonism? Maybe they don’t like the return of Indiana Jones? Or are they scared of E.T.? 
May 23rd, 2008 at 2:21 pm
If I were to hazard a guess, I’d say that the ‘Mr. Spilberg’ remarks indicate that the malware author is either Chinese or sympathizes with the Chinese government; a lot of wrath has been directed (pardon the pun) at Steven Spielberg for resigning as artistic director of the Beijing Olympics in protest of China’s role in supporting violent actors in Darfur.
May 25th, 2008 at 12:51 pm
Dear Paolo!
I want to tell you, that “f*ckyouspilberg” - it’s a popular phrase
from famous Russian humoristic TV - show.