Wednesday, January 18, 2012

Security Defender




Security Defender runs a bit differently than normal rogues. It places its dll files in different folders and launches using rundll32.exe instead of using an executable.






This rogue is contracted by the user getting redirected to a website which will run a "malware scan". This scan will always show that the user is "infected" and has a popup window with the option to "remove" infections. A file download follows and, if run, the user is infected with Security Defender.




The removal process is fairly simple, kill rundll32.exe and use your favorite malware scanner (MalwareBytes' is mine).



Files

C:\Windows\System32\53D4813B-6A65-17DC-1AA7-DABF1A67D772.avi
C:\Windows\System32\53D4813B-6A65-17DC-1AA7-DABF1A67D772.ico
C:\Documents and Settings\<User Name Here>\Application Data\53D4813B-6A65-17DC-1AA7-DABF1A67D772.avi
C:\Documents and Settings\<User Name Here>\Application Data\53D4813B-6A65-17DC-1AA7-DABF1A67D772.ico
C:\Documents and Settings\<User Name Here>\Application Data\Security Defender\{55134541-8195-4710-C5AD-EF3E5B78ED6C}.pst
C:\Documents and Settings\<User Name Here>\Application Data\Security Defender\{DE4B19BB-A312-44B5-F8AF-B20C20C8DF0C}.pst
C:\Documents and Settings\<User Name Here>\Local Settings\Application Data\53D4813B-6A65-17DC-1AA7-DABF1A67D772.avi
C:\Documents and Settings\<User Name Here>\Local Settings\Application Data\53D4813B-6A65-17DC-1AA7-DABF1A67D772.ico
C:\Documents and Settings\All Users\Application Data\53D4813B-6A65-17DC-1AA7-DABF1A67D772.avi
C:\Documents and Settings\All Users\Application Data\53D4813B-6A65-17DC-1AA7-DABF1A67D772.ico
C:\Program Files\Security Defender\Security Defender.dll
C:\Program Files\Security Defender\Security Defender.ico
C:\Documents and Settings\<User Name Here>\Desktop\Security Defender.lnk
C:\Documents and Settings\<User Name Here>\Application Data\Microsoft\Internet Explorer\Quick Launch\Security Defender.lnk
C:\Documents and Settings\<User Name Here>\Start Menu\Programs\Startup\53D4813B-6A65-17DC-1AA7-DABF1A67D772.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\53D4813B-6A65-17DC-1AA7-DABF1A67D772.lnk




Notable Registry Keys

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run]

@53D4813B-6A65-17DC-1AA7-DABF1A67D772

[HKEY_CUURENT_USER\Software\Microsoft\Windows\Currentversion\Run]

@53D4813B-6A65-17DC-1AA7-DABF1A67D772


VirusTotal:

Security Defender.dll VT: 2/42 (4.8%)

No comments:

Post a Comment