[PIC 1] Fake Anti-Spyware name is "Data Protection".

 

It has same UI as [Spyware.FraudLoad.Do], and only product name and install path were changed.

[PIC 2] Fake Anti-Spyware UI

 

* Link to [Spyware.FraudLoad.Do] analysis *
http://www.hauri.net/security/virus_view.html?intSeq=1826&strPart=2&key=Spyware.FraudLoad.Do&cpage=1

It makes users to believe almost all normal executed programs are malicious codes and interrupts the normal programs execution. Therefore, malicious code detection/removal tool is restricted to use.

[PIC 3] Interrupting normal programs execution

Also, it shows fake warning windows like "KeyLogger detected on your PC" or "Network attack detected" periodically.

[PIC 4] A fake warning window of "KeyLogger detected on your PC"

[PIC 5] A fake warning window of "Network attack detected"

[PIC 6] Making users to feel nervous by ending Windows forcibly

[PIC 7] Fake detection result 

[PIC 8] Installation

[PIC 9] Inducing to purchase fake Anti-Spyware

[PIC 10] Fake attack detection warning by using cookie values

[PIC 11] Showing Windows Security Center pretended malicious code

[PIC 12] Fake file and URL link that created by malicious code

[PIC 13] Fake warning message

<Related URL>

[Spyware.FakeAV.Dr.389120] accessed URL and IP are like below:

hxxp://find*****.org/
hxxp://*****search.org/
hxxp://onlinegoleds.com/
62.122.***.***

220.90.***.***
 

<File>

[Spyware.FakeAV.Dr.389120] creates below files:

(Temp Folder)\kernel64xp.dll
(Temp Folder)\mscdexnt.exe
(Temp Folder)\topwesitjh
(Temp Folder)\wscsvc32.exe

<Registry>

[Spyware.FakeAV.Dr.389120] creates below registries:

HKLM\SOFTWARE\Program Groups
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMAEOMPDRBQHX
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMAEOMPDRBQHX\0000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMAEOMPDRBQHX\0000\Control
HKLM\SYSTEM\ControlSet001\Services\ProtectedStorage
HKLM\SYSTEM\ControlSet001\Services\ProtectedStorage\Security
HKLM\SYSTEM\ControlSet001\Services\ProtectedStorage\Enum
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMAEOMPDRBQHX
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMAEOMPDRBQHX\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMAEOMPDRBQHX\0000\Control
HKLM\SYSTEM\CurrentControlSet\Services\ProtectedStorage
HKLM\SYSTEM\CurrentControlSet\Services\ProtectedStorage\Security
HKLM\SYSTEM\CurrentControlSet\Services\ProtectedStorage\Enum
HKLM\SOFTWARE\f7c5da73-b4a5-4947-8f40-08f2871eb36b: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr: 0x00000001
HKLM\SOFTWARE\Program Groups\ConvertedToLinks: 0x00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\mscdexnt.exe: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mscdexnt.exe"

[How to repair]

1. If you are WinXP/ME users, please be inactivate System Recovery Function.
The reason why being inactivate of the system recovery is to clean the virus completely.
You can refer to MS technical documents(Q263455) for more details.

2. Update the engine module for the latest one.
To repair this virus, you need to update the engine for the latest one.

a. ViRobot products users
-Download the latest engine files via our website (www.hauri.net)

b. Non-ViRobot products users
- Use the LiveCall (Free Scan) via the website (http://www.livecall.co.kr)
- Use the trial version of ViRobot products (30days only)

3. How to scan the virus.

a. Run your ViRobot, and choose all files in scan option.
- ViRobot Desktop 5.x : [Tools] -> [Configuration] -> [Spyware/Adware Scan] : Check all files
- LiveCall (Free Scan) : [Advanced Scan] : Check

b. Repair all viruses detected.