By Tyler Moffitt

We see users on the internet getting infected with Rogue Security Malware all the time. In fact, it’s one of the most common and obvious type of infections we see. The Rogues lock-down your computer and prevent you from opening any applications so you’re forced to read their scam. Although they use various tactics and convincing GUIs to get onto your computer, they all share a common goal: To get your money.

Here are the top 5 rogues reported this year

  • System Care Antivirus
  • Internet Security
  • Disk Antivirus Professional
  • System Doctor 2014
  • AVASoft professional antivirus

How do I get these Rogues?

The most common install from fake Adobe update installers and malicious URLs linked from pictures that look like this:

Once you click on images like this in the wild and receive the payload from the malicious URLs, you’ll have effectively given permission and installed the Rogue onto your computer.

How do they work?

  • They drop their randomly named executables in hidden folders. This example is referencing System Care, but typically Appdata or Program Data are where they are dropped:
    C:ProgramData106F63937B0D2FCB0000106F532F3ADE106F63937B0D2FCB0000106F532F3ADE.exe
    C:UsersAll  Users106F63937B0D2FCB0000106F532F3ADE106F63937B0D2FCB0000106F532F3ADE.exe
    C:UsersYourUserFolderAppDataRoaming106F63937B0D2FCB0000106F532F3ADE.exe
  • They add registry entries that start up as soon as your computer starts up:
    [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce]
    “106F63937B0D2FCB0000106F532F3ADE”=”C:\ProgramData\106F63937B0D2FCB0000106F532F3ADE\106F63937B0D2FCB0000106F532F3ADE.exe”
  • They add registry entries to start their virus instead of any other executable and then report it as an infection:
    [HKEY_LOCAL_MACHINESoftwareCLASSESexefileshellopencommand] @=”C:\ProgramData\106F63937B0D2FCB0000106F532F3ADE\106F63937B0D2FCB0000106F532F3ADE.exe”
  • The end goal is to get you to click “fix” and bring you to this page:

 

Don't give them your credit card information.

Don’t give them your credit card information

How do I remove these Rogues?

If you have Webroot already installed, then you shouldn’t need to do anything as the real time protection will block the known threat as soon as it is dropped onto your computer. If you don’t have Webroot installed yet (but wish to get it installed so you can remove these Rogues), then all you have to do is boot into Safe Mode with Networking and then install Webroot SecureAnywhere and it will detect them immediately.

New variants of these rogues come out constantly so there are millions of unique signatures being dropped on computers everyday. If you happen to come across a new zero-day signature that doesn’t yet have a determination, then you should know about Webroot’s ability to remediate infections without a database determination. All you have to do is open your console, click the “System Tools” tab and then click “start” under Control Active Processes. You’ll then be presented with the screen below, which shows all the active processes that are running:

Anything running under the “monitor” column should be scrutinized. If you find anything randomly generated like a new System Care variant (see below), then you would set it to “block” and then run a scan. Upon finishing the scan Webroot will remove the file and roll back any changes made by the malware.:
EXAMPLE C:ProgramData106F63937B0D2FCB0000106F532F3ADE106F63937B0D2FCB0000106F532F3ADE.exe

Webroot support is always more than happy to help with removal and questions regarding infections.

Tyler Moffitt

About the Author

Tyler Moffitt

Sr. Security Analyst

Tyler Moffitt is a Sr. Security Analyst who stays deeply immersed within the world of malware and antimalware. He is focused on improving the customer experience through his work directly with malware samples, creating antimalware intelligence, writing blogs, and testing in-house tools.

Share This