Home / malwarePDF  

Security Protection


First posted on 14 September 2011.
Source: SecurityHome

Aliases :

Security Protection is also known as Win32/FakeRean (other).

Explanation :

"Security Protection" is a brand of rogue malware detected as Rogue:Win32/FakeRean. It displays fake alerts for non-existent threats and prevents executable files from running on the computer.
Top

"Security Protection" is a brand of rogue malware detected as Rogue:Win32/FakeRean. It displays fake alerts for non-existent threats and prevents executable files from running on the computer.



Installation

Upon execution, "Security Protection" drops the file "defender.exe" in the %ApplicationData% directory and launches this file. This file is responsible for the rogue's main functionality of displaying a fake scanning interface and displaying false alerts on the infected computer.

It also creates the file "security defender.lnk" in the %Desktop% directory to create a shortcut to "defender.exe" on the users desktop:



"Security Protection" also makes the following registry modifications so that "defender.exe" is launched at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Security Protection"
With data: %ApplicationData%\defender.exe



Payload

Displays fake alerts and fake scanning results

When launched, "Security Protection" displays a fake scanner interface such as the following:



It displays a warning to the user informing them they have a number of infections on the computer and that they must activate "Security Protection" before they can be removed:



A number of similar activation warnings are displayed if the user interacts with the scanner interface:





"Security Protection" also displays warning messages on the computer at random times, such as those below:





Terminates processes

When launched, "Security Protection" terminates any non system critical process that is running on the computer. Any subsequent executable that is launched by the user is also terminated by the rogue, which displays the following message falsely claiming that the program is infected with a worm:





Analysis by Amir Fouda

Last update 14 September 2011

 

TOP

Malware :