1.Description
Windows Advanced Security Centervirus - this type of malicious software is categorized as fake AV program.
2. Behavior inside the compromised system
When the scanning is successfully launched Windows Advanced Security Center generates fake scanning reports about numerous viruses, worms and trojans detected. If one tries to delete these threats, he/she will fail to do it, until he/she buys the commercial version of Windows Advanced Security Center
3. Files
- %AppData%\NPSWF32.dll
- %AppData%\Protector-[rnd].exe
- %AppData%\result.db
In the process of the installation, Windows Advanced Security Center copies the following files to the hard disk.
4. System registry
Windows Advanced Security Center creates the following registry entries:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Inspector %AppData%\Protector-[rnd].exe
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect 0
- HKCU\Software\Microsoft\Windows\CurrentVersion\Settings\ID 4
- HKCU\Software\Microsoft\Windows\CurrentVersion\Settings\UID [rnd]
- HKCU\Software\Microsoft\Windows\CurrentVersion\Settings\net [date of installation]
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorAdmin 0
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorUser 0
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA 0
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger svchost.exe
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\Debugger svchost.exe
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE\Debugger svchost.exe
No comments:
Post a Comment