Win32/Adware.SystemSecurity [Threat Name] go to Threat
Win32/Adware.SystemSecurity.AL [Threat Variant Name]
| Category | adware,riskware |
| Size | 589824 B |
| Aliases | Trojan-FakeAV.Win32.SmartFortress2012.wtx (Kaspersky) |
| Rogue:Win32/Winwebsec (Microsoft) |
Short description
Win32/Adware.SystemSecurity.AL is a rogue antivirus. The file is run-time compressed using PECompact .
Installation
When executed, the adware copies itself into the following location:
- %commonappdata%\%variable%\%variable%.exe
A string with variable content is used instead of %variable% .
The adware creates the following file:
- %commonappdata%\%variable%\%variable%.ico (9662 B)
In order to be executed on every system start, the adware sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
- "%variable%" = "%commonappdata%\%variable%\%variable%.exe"
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center]
- "AntiVirusDisableNotify" = 1
- "AntiVirusOverride" = 1
- "FirewallDisableNotify" = 1
- "FirewallOverride" = 1
- "UpdatesDisableNotify" = 1
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\svc]
- "AntiVirusDisableNotify" = 1
- "AntiVirusOverride" = 1
- "FirewallDisableNotify" = 1
- "FirewallOverride" = 1
- "UpdatesDisableNotify" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
- "HideSCAHealth" = 1
- [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\luafv]
- "Start" = 4
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore]
- "RPSessionInterval" = 0
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
- "EnableLUA" = 0
- "ConsentPromptBehaviorAdmin" = 0
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender]
- "DisableAntiSpyware" = 1
The following services are disabled:
- AVG Security Toolbar Service
- avgfws
- AVGIDSAgent
- avgwd
- msmpsvc
- windefend
- wscsvc
- wuauserv
The following programs are terminated:
- wscntfy.exe
- msascui.exe
- mpcmdrun.exe
- msmpeng.exe
- nissrv.exe
- msseces.exe
The adware quits immediately if it is run within a debugger.
Other information
Win32/Adware.SystemSecurity.AL is a rogue antivirus.
The adware displays fake warnings about threats detected on the compromised computer that need to be removed.
The problems/threats are fake.
Some examples follow.
The adware acquires data and commands from a remote computer or the Internet.
The adware contains a list of (8) URLs. The HTTP protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- terminate running processes
The adware hooks the following Windows APIs:
- RtlLockHeap (ntdll.dll)