Monday 28 May 2012

Windows Defence Council virus. Make sure to remove

1.Description

Windows Defence Council claims to be a real anti-malware tool, developed to assist in virus detection and removal. In fact it poses as something it is not. Its main target is to pilfer money from unwary users by pushing them into purchasing its non-existent commercial version.


2. Behavior inside the compromised system

This rogue anti-spyware could be easily downloaded with the help of drive-by downloads, trojans, or from infested websites containing contagious scripts, but it is really a piece of work to catch it out on the contaminated system. Windows Defence Council pretends to scan the system for malicious objects presence. When the process of scanning is terminated, fake scanning reports are displayed. Numerous viruses, worms and Trojans are allegedly spotted on the system. If one tries to remove these threats, he/she will redirected to the site where the commercial version of this malware is offered.

3. Files

In the process of the installation, Windows Defence Council copies the following files to the hard disk.

  • %AppData%\NPSWF32.dll
  • %AppData%\Protector-[rnd].exe
  • %AppData%\result.db

4. System registry

Windows Defence Council creates the following registry entries:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Inspector %AppData%\Protector-[rnd].exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect 0
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Settings\ID 4
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Settings\UID [rnd]
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Settings\net [date of installation]
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorAdmin 0
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorUser 0
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA 0
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger svchost.exe
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\Debugger svchost.exe
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE\Debugger svchost.exe

Windows Defence Council automatic remover


Windows Defence Council automatic remover
Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)