Win32/Adware.SystemSecurity [Threat Name] go to Threat

Win32/Adware.SystemSecurity.AL [Threat Variant Name]

Category adware,riskware
Size 589824 B
Detection created Jun 01, 2012
Detection database version 7187
Aliases Trojan-FakeAV.Win32.SmartFortress2012.wtx (Kaspersky)
  Rogue:Win32/Winwebsec (Microsoft)
Short description

Win32/Adware.SystemSecurity.AL is a rogue antivirus. The file is run-time compressed using PECompact .

Installation

When executed, the adware copies itself into the following location:

  • %commonappdata%\­%variable%\­%variable%.exe

A string with variable content is used instead of %variable% .


The adware creates the following file:

  • %commonappdata%\­%variable%\­%variable%.ico (9662 B)

In order to be executed on every system start, the adware sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "%variable%" = "%commonappdata%\­%variable%\­%variable%.exe"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Security Center]
    • "AntiVirusDisableNotify" = 1
    • "AntiVirusOverride" = 1
    • "FirewallDisableNotify" = 1
    • "FirewallOverride" = 1
    • "UpdatesDisableNotify" = 1
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Security Center\­svc]
    • "AntiVirusDisableNotify" = 1
    • "AntiVirusOverride" = 1
    • "FirewallDisableNotify" = 1
    • "FirewallOverride" = 1
    • "UpdatesDisableNotify" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "HideSCAHealth" = 1
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­luafv]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­SystemRestore]
    • "RPSessionInterval" = 0
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "EnableLUA" = 0
    • "ConsentPromptBehaviorAdmin" = 0
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows Defender]
    • "DisableAntiSpyware" = 1

The following services are disabled:

  • AVG Security Toolbar Service
  • avgfws
  • AVGIDSAgent
  • avgwd
  • msmpsvc
  • windefend
  • wscsvc
  • wuauserv

The following programs are terminated:

  • wscntfy.exe
  • msascui.exe
  • mpcmdrun.exe
  • msmpeng.exe
  • nissrv.exe
  • msseces.exe

The adware quits immediately if it is run within a debugger.

Other information

Win32/Adware.SystemSecurity.AL is a rogue antivirus.


The adware displays fake warnings about threats detected on the compromised computer that need to be removed.


The problems/threats are fake.


Some examples follow.

The adware acquires data and commands from a remote computer or the Internet.


The adware contains a list of (8) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • terminate running processes

The adware hooks the following Windows APIs:

  • RtlLockHeap (ntdll.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.