1.Description
Windows Multi Control System – fills the cell in the category of fake AV programs. It claims to be a real helpful anti-virus program, but indeed it is not what it claims to be.
2. Behavior inside the compromised system
Windows Advanced Security Center initiates pseudo system scan for virus presence and ends up with invented scanning reports claiming numerous viruses, worms and trojans detected. If one tries to remove these threats, he/she will be diverted to the page where the commercial version of Windows Multi Control System is offered
3. Files
In the process of the installation, Windows Multi Control System copies the following files to the hard disk.
- %AppData%\NPSWF32.dll
- %AppData%\Protector-[rnd].exe
- %AppData%\result.db
4. System registry
Windows Multi Control System creates the following registry entries:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Inspector %AppData%\Protector-[rnd].exe
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect 0
- HKCU\Software\Microsoft\Windows\CurrentVersion\Settings\ID 4
- HKCU\Software\Microsoft\Windows\CurrentVersion\Settings\UID [rnd]
- HKCU\Software\Microsoft\Windows\CurrentVersion\Settings\net [date of installation]
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorAdmin 0
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorUser 0
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA 0
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger svchost.exe
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\Debugger svchost.exe
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE\Debugger svchost.exe
No comments:
Post a Comment