[Symptom of Infection]
[Adware.SystemSecurity.R.715338] is a Rogue which contains Hoax symptoms. It shows a fake infection warning and induces purchasing for fake repair.
After infection, a fake warning message(Hoax symptom) will be shown in system tray like below.
REMOVE ALL SPYWARE FROM YOUR PC!
SECURE YOURSELF RIGHT NOW!
ARE STILL THERE and could break your life!
with all the images, and all the downloaded and maybe later removed movies or mp3 songs -
Every site you or somebody or even something, like spyware, opened in your browsers,
FOR YOUR BOSS, YOUR FRIENDS, YOUR WIFE, YOUR CHILDREN.
YOUR DATA IS STILL AVAILABLE FOR FORENSICS. AND IN SOME CASES
LOGGED. AND IT IS IMPOSSIBLE TO REMOVE THEM WITH STANDARD TOOLS.
WHEN YOU VISIT SITES, SEND EMAILS... ALL YOUR ACTIONS ARE
ALL YOU DO WITH COMPUTER IS STORED FOREVER IN YOUR HARD DISK.
YOUR COMPUTER IS INFECTED WITH SPYWARE!
YOUR'RE IN DANGER!
WARNING! |
[PIC 1] Fake warning message 1
[PIC 2] Fake warning message 2
[PIC 3] Fake warning message 3
[PIC 4] Fake warning message 4
[PIC 5] Fake warning message 5
By clicking the fake warning message, PC Scan processing windows is shown, but the Scan process detects inexistent files and registries for malicious codes.
[PIC 6] Fake detection result 1
[PIC 7] Fake detection result 2
If Scan process ends, it recommends "Active System Security" for inducing users to purchase "Key input for Registration".
[PIC 8] Recommend Active System Security
[PIC 9] Activation progressing windows
[PIC 10] Request Key Input(Purchasing) for Registration
Also, the infected PC's desktop is modified like below [PIC 11].
[PIC 11] Modified desktop (Fake infection warning message for threat)
After infection, it shows blue screen similar feature every 30 minutes and reboots infected PC.
A problem has been detected and Windows has been shut down to prevent damage
to your computer.
The problem seems to be caused by the following file: NTFS.SYS
PAGE_FAULT_IN_NONPAGED_AREA
If this is the first time you've seen this stop error screen,
restart your computer. If this screen apears again, follow
these steps:
Check to make sure any new hardware or software is properly installed.
If this is a new installation, ask your hardware or software manufacturer
for any windwos updates you might need.
If problems continue, disable or remove any newly installed hardware
or software. Disable BIOS memory options such as caching or shadowing.
If you need to use Safe Mode to remove or disable components, restart
your computer, press F8 to select Advanced Startup Options, and then
select Safe Mode.
Technical information:
*** STOP: 0x00000050 (0xFD3094C2,0x00000001,0xFBFE7617,0x00000000)
*** NTFS.SYS - Address 0xFBFE7617 base at 0xFD3094C2, DateStamp 3d6abeff |
[PIC 12] Fake blue screen by malicious code
After PC reboot, it executes (My document)\All Users\Application Data\(random 8-digits folder)\(random 8-digits number).exe file which is registered in [Registry]-[Run], and ends all processes except below list.
wuauclt.exe
wscntfy.exe
winlogon.exe
wininit.exe
nvsvc.exe
lsm.exe
lsass.exe
iexplore.exe
system
svchost.exe
spoolsv.exe
smss.exe
slsvc.exe
services.exe
explorer.exe
ctfmon.exe
csrss.exe
alg.exe
*Related Malicious code*
Hoax.Renos.715301
*Related URL*
hxxp://www.on(...)support.net
hxxp://www.su(...)ter.com
*ÆÄÀÏ*
[Adware.SystemSecurity.R.715338] creates files like below.
(My document)\All Users\Application Data\(random 8-digits number folder)\(random 8-digits number).exe
*Registry*
[Adware.SystemSecurity.R.715338] creates registries like below.
HKLME\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Name : (random 8-digits number)
Value : (My document)\All Users\Application Data\(random 8-digits number folder)\(random 8-digits number).exe
*Notation*
- "(All Users Account Folder)" could be different by user settings, and generally this is "C:\Documents and Settings\(All Users Account)".
- "(Desktio Folder)" could be different by OS, and generally this is "C:\Documents and Settings\(User Account)\Desktop".
- "(Quick Launch Folder)" could be different by OS(or User), and generally this is "C:\Documents and Settings\(User Account)\Application Data\Microsoft\Internet Explorer\Quick Launch"
- "(Temp Folder)" could be different by OS, and generally this is "C:\Documents and Settings\(User Account)\Local Settings\Temp".
- "(Program Folder)" could be different by OS, and generally this is "C:\Program Files".
- "(Windows Folder)" could be different by OS, and generally this is "C:\Windows".
- "(System Folder)" could be different by OS, and generally this is "C:\Windows\System32".
|
[How to repair]
1. If you are WinXP/ME users, please be inactivate System Recovery Function.
The reason why being inactivate of the system recovery is to clean the virus completely.
You can refer to MS technical documents(Q263455) for more details.
2. Update the engine module for the latest one.
To repair this virus, you need to update the engine for the latest one.
a. ViRobot products users
-Download the latest engine files via our website (www.hauri.net)
b. Non-ViRobot products users
- Use the LiveCall (Free Scan) via the website (http://www.livecall.co.kr)
- Use the trial version of ViRobot products (30days only)
3. How to scan the virus.
a. Run your ViRobot, and choose all files in scan option.
- ViRobot Desktop 5.x : [Tools] -> [Configuration] -> [Spyware/Adware Scan] : Check all files
- LiveCall (Free Scan) : [Advanced Scan] : Check
b. Repair all viruses detected.
|
HOME > Security Info
