Home / malware

PDF

Rogue:W32/SystemTool

First posted on 03 March 2011.
Source: SecurityHome

Aliases :

There are no other names known for Rogue:W32/SystemTool.

Explanation :

This detection identifies a malicious rogueware program, typically used to deceive users into purchasing a fake application.

Additional DetailsThis malware may also be detected by generic detections using the following naming format:

• gen.variant.kazy.[####]

Where [####] can be any number.

Activity

On execution, the malware hijacks the desktop and displays the wallpaper below:



It then displays a fake scanner program (System Tool) that displays bogus virus/trojan/spyware detections.



These actions are done to frighten the user into buying the fake application.

The malware also prevents execution of any other application. This disables applications like command prompt, regedit, Task Manager (including the keyboard shortcut Ctrl+Alt+Del), etc.

Installation

During installation, the malware adds the following files:

• %appdata%\[random]\[random].exe - (malware executable)
• %appdata%\[random]\[random] - (Data file)

Registry Changes

Launchpoint registry :

• HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
  [random] = %appdata%\[random]\[random].exe

Last update 03 March 2011

 

TOP