By Brenden Vaughan and Andrew Brandt
This week, our support and advanced malware removal (AMR) team did not have a lot of new data to report about rogue security products. The most commonly encountered infection continues to be one of the rogues we reported about last week.
While we may refer to it as XP Total Security, it actually chooses one of a series of names at random, based on the operating system on the victim’s computer. Last week’s post contains a more comprehensive list of these names. As previously reported, you can remove the rogue by scanning (with our product, not theirs) while the computer is in Safe Mode.
Its main executable has a random, three-character filename, and gets installed into a random, three-character folder inside the Application Data folder for the user who is currently logged on at the time of the infection. The rogue’s install location is:
%UserProfile%\Local Settings\Application Data\<random>\<random>.exe
AMR reported seeing another rogue called Antivirus IS. While this is the first time they have mentioned it, Brenden believes it is a bit older, and has been floating around since late last year. Its logo is a blue shield with a single red diagonal stripe; its tagline, “Innovative protection for your PC,” is utter nonsense.
It’s worth mentioning, as well, that there shouldn’t be any programs in the Application Data folder. Legitimate programs usually create folders inside that directory, and maintain data files, logs, and other files they require inside of those folders. Technically speaking, there are two of these folders for a given user account.
To see what’s inside each of your Application Data folders, click the Start menu, select Run…, then type either of the following commands into the text field and hit the Enter key or the OK button. Each will take you to a different folder.
%appdata% %UserProfile%\Local Settings\Application Data\
The directories should be full of other folders, and should not have any executable files in them, though there may be a few stray (harmless) data files or .ini files. Common legitimate three-character folder names include Sun (which contains files for Java) or vlc (used by the popular media player of the same name). There are probably many other legitimate three-letter folder names as well. Don’t delete anything from these locations unless you know what you’re doing.
Antivirus IS makes some system modifications that inhibit your ability to use the browser.
The rogue changes your DNS server settings, which permits the rogue’s operators to direct your computer to sites other than the ones you intend to visit. We were shocked, shocked to discover that the DNS servers it points to are in a range of IP addresses assigned to an ISP in Ukraine. It also sets a registry key that disable the Internet Explorer Phishing Filter, and other keys that permit the rogue to act as a local Web proxy on port 5643 of the infected machine, which serves to prevent the browser from visiting certain Web sites.
The following registry keys are some of the ones Antivirus IS created on a research testbed:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters NameServer=18.104.22.168,22.214.171.124 HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter Enabled=0 HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run <random>=%UserProfile%\Local Settings\Application Data\<random>\<random>.exe
(<random>, in this case, is typically three alphabetic characters chosen at random.)
In the presence of some or all of the above registry settings, the following ones may also be considered harmful. If you manually remove the rogue and fail to remove these keys as well, your browser will not be able to surf the Web until you turn off the local proxy by setting ProxyEnable to 0 (zero):
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ProxyEnable=1 ProxyOverride=<local> ProxyServer=127.0.0.1:5643