Home / malwarePDF  

Security Guard 2012


First posted on 08 November 2011.
Source: SecurityHome

Aliases :

Security Guard 2012 is also known as Rogue:Win32/FakeScanti (other), Win32/FakeScanti (other).

Explanation :

Security Guard 2012 is a variant of Win32/FakeScanti - a family of trojans that claim to scan for malware and display fake warnings of "malicious programs and viruses". It then informs the user that they need to pay money to register the software in order to remove these non-existent threats. The malware may also attempt to terminate processes and block access to websites.


Top

Security Guard 2012 is a variant of Win32/FakeScanti - a family of trojans that claim to scan for malware and display fake warnings of "malicious programs and viruses". It then informs the user that they need to pay money to register the software in order to remove these non-existent threats. The malware may also attempt to terminate processes and block access to websites.



Installation

Security Guard 2012 copies itself to <system folder>\<eight or more random alphanumeric characters>.exe (for example, E0qaxGNpRBoE8E7.exe).

Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

The trojan drops the following files:

  • %AppData%\ldr.ini
  • %AppData%\ <eight or more random alphanumeric characters>Security Guard 2012.ico(for example, %AppData%\J7ikWC6jA5hPtOrSecurity Guard 2012.ico)
  • %ProgramFiles%\Security Guard 2012\Security Guard 2012.lnk
  • <Desktop folder>\Security Guard 2012.lnk


Note: <Desktop folder> refers to a variable location that is determined by the malware by querying the Operating System. The default location for the 'Desktop' folder for Windows Vista and 7 is '%HOMEPATH%\Desktop'.

The fake scanner may be downloaded from a location such as any of those listed in the Payload section, saved to the %TEMP% directory, then launched.

Security Guard 2012 makes the following changes to the registry to ensure that its copy is executed at each Windows start:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: <eight or more random alphanumeric characters> (for example, VvUJ1sY0aTNp8234A)
With data: <path name of malware> (for example, <system folder>\\E0qaxGNpRBoE8E7.exe)



Payload

Downloads and executes arbitrary files

This trojan may connect to websites such as the following:

  • cc-chargeonline.com
  • ccbill-online.com
  • freshmediacontent.com
  • ordersonlinenow.com
  • ourbigbooklibrarry.com
  • ourbigvideostore.com
  • paybycardonline.com
  • paybycardsonline.com
  • photodatastore.com
  • pickviewonline.com
  • s-internals.com
  • secure-validation.com
  • system-reports.com
  • xmlstatreports.com


It may download other files. The downloaded file is saved as a file in the Windows Temporary Files folder with a random file name.

The malware may also report the computer's details, such as operating system version and antivirus product to a remote server.

Terminates processes

This trojan monitors running processes and attempts to terminate any process unless its file name contains one of the following substrings:

  • *.tmp
  • csrss.exe
  • DllHost.exe
  • IEUser.exe
  • iexplore.exe
  • mst.exe
  • SearchProtocolHost.exe
  • server.exe
  • spooler.exe
  • un_inst.exe
  • winlogon.exe


It displays a system tray popup similar to the following:



Note that the downloaded malware is not terminated, as its file name has a .tmp extension.

Terminates and/or uninstalls security software

It may attempt to terminate and/or uninstall security software from the following companies:

  • Microsoft (Windows Defender and Security Essentials)
  • Norton
  • Avira
  • AVG
  • E-Set
  • DrWeb
  • Kaspersky
  • Bitdefender
  • McAfee


Displays fake antivirus scanner

When run, the trojan performs a fake scan of the system, and falsely claims that a number of files in the computer are infected with malware. Should users request that it clean the reported infections, it advises them that they need to pay money to register the program and perform the cleaning process.



It displays various windows, system tray pop-ups, and error messages in an attempt to convince the user that their system is infected, and that they should pay to register the fake software. In some cases it greys out the background in an attempt to simulate a UAC message.

















It may also simulate a system crash by displaying error messages such as the following:



Restarts the computer

This trojan occasionally restarts the computer. This may be an attempt to convince the user that the computer is infected with malware.

Blocks access to websites

This trojan may display the following error message in Internet Explorer and randomly block access to websites that the user is attempting to visit. This dialog is displayed to convince the user that the site they are visiting is malicious and that they need to take a recommended action of the attacker's choice in order to be protected:





Additional information

In the wild, we have observed computers infected with Security Guard 2012 are also often affected by Backdoor:Win32/Cycbot.B.



Analysis by David Wood

Last update 08 November 2011

 

TOP