ROTW: “Total Security” and Antivirus IS

by

Share this news now.

By Brenden Vaughan and Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

This week, our support and advanced malware removal (AMR) team did not have a lot of new data to report about rogue security products. The most commonly encountered infection continues to be one of the rogues we reported about last week.

While we may refer to it as XP Total Security, it actually chooses one of a series of names at random, based on the operating system on the victim’s computer. Last week’s post contains a more comprehensive list of these names. As previously reported, you can remove the rogue by scanning (with our product, not theirs) while the computer is in Safe Mode.

Its main executable has a random, three-character filename, and gets installed into a random, three-character folder inside the Application Data folder for the user who is currently logged on at the time of the infection. The rogue’s install location is:

 %UserProfile%Local SettingsApplication Data<random><random>.exe

AMR reported seeing another rogue called Antivirus IS. While this is the first time they have mentioned it, Brenden believes it is a bit older, and has been floating around since late last year. Its logo is a blue shield with a single red diagonal stripe; its tagline, “Innovative protection for your PC,” is utter nonsense.

It’s worth mentioning, as well, that there shouldn’t be any programs in the Application Data folder. Legitimate programs usually create folders inside that directory, and maintain data files, logs, and other files they require inside of those folders. Technically speaking, there are two of these folders for a given user account.

To see what’s inside each of your Application Data folders, click the Start menu, select Run…, then type either of the following commands into the text field and hit the Enter key or the OK button. Each will take you to a different folder.

%appdata%
%UserProfile%Local SettingsApplication Data

The directories should be full of other folders, and should not have any executable files in them, though there may be a few stray (harmless) data files or .ini files. Common legitimate three-character folder names include Sun (which contains files for Java) or vlc (used by the popular media player of the same name). There are probably many other legitimate three-letter folder names as well. Don’t delete anything from these locations unless you know what you’re doing.

Antivirus IS

Antivirus IS makes some system modifications that inhibit your ability to use the browser.

The rogue changes your DNS server settings, which permits the rogue’s operators to direct your computer to sites other than the ones you intend to visit. We were shocked, shocked to discover that the DNS servers it points to are in a range of IP addresses assigned to an ISP in Ukraine. It also sets a registry key that disable the Internet Explorer Phishing Filter, and other keys that permit the rogue to act as a local Web proxy on port 5643 of the infected machine, which serves to prevent the browser from visiting certain Web sites.

The following registry keys are some of the ones Antivirus IS created on a research testbed:

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesTcpipParameters
 NameServer=93.188.163.182,93.188.166.182

HKEY_CURRENT_USERSOFTWAREMicrosoftInternet ExplorerPhishingFilter
 Enabled=0

HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionrun
 <random>=%UserProfile%Local SettingsApplication Data<random><random>.exe

(<random>, in this case, is typically three alphabetic characters chosen at random.)

In the presence of some or all of the above registry settings, the following ones may also be considered harmful. If you manually remove the rogue and fail to remove these keys as well, your browser will not be able to surf the Web until you turn off the local proxy by setting ProxyEnable to 0 (zero):

HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionInternet Settings
 ProxyEnable=1
 ProxyOverride=<local>
 ProxyServer=127.0.0.1:5643

– Vaughan
Webroot blog stats


Share this news now.

Trackbacks

  1. [...] a .dat extension, located in the Application Data folder of the “All Users” profile. As we’ve written before, no programs should run from the Application Data folder, so anything in that location is [...]