22 May 2009
System Security Rogue Anti-Spyware Still Going Strong
by Roger Karlsson
Although five months passed since the System Security first appeared, it's still going strong. Yesterday it installed on my malware honeypot by exploiting a security hole:
Here's the FreeFixer log from the infected computer. If your are removing System Security, select the items marked in red:
FreeFixer v0.39 log http://www.freefixer.com/ Operating system: Windows XP Service Pack 1 Log dated 2009-05-18 12:52 Registry Startups HKLM\..\Run, PromoReg = C:\WINDOWS\Temp\wpv351242765100.exe HKLM\..\Run, 17826874 = C:\Documents and Settings\All Users\Application Data\17826874\17826874.exe HKLM\..\Run, 97836866 = C:\Documents and Settings\All Users\Application Data\97836866\97836866.exe HKCU\..\Run, MSMSGS = "C:\Program\Messenger\msmsgs.exe" /background Processes (16 whitelisted) C:\Program\Messenger\msmsgs.exe C:\WINDOWS\Temp\wpv351242765100.exe C:\Program\FreeFixer\freefixer.exe C:\Documents and Settings\All Users\Application Data\97836866\97836866.exe Services (34 whitelisted) VSSlanmanserver, Volume Shadow Copy VSSlanmanserver, c:\windows\system32\advpackv.exe
Hot files
sshnas21.dll,
syspck32,
zipdkg32,
monnwb32,
monnid32,
wwwpos32.exe,
aqlb.hjo,
incognito.exe,
rarype32.exe,
netuza32.exe,
9fo3ar0j.exe,
kbdsock.dll,
freddy84.exe,
freddy82.exe,
freddy81.exe,
freddy80.exe,
extrac64_cab.exe,
wmpscfgs .exe,
cliconfg64.exe,
winhlp64.exe,
siszyd32.exe,
sshnas.dll,
IS2010.exe,
smss32.exe,
winlogon32.exe,
helper32.dll,
IS15.exe,
richtx64.exe,
settdebugx.exe,
sr882388.exe,
questservice111.exe,
ccdrive32.exe,
av_md.exe,
essledv.exe,
msa.exe,
algqeh32.exe,
ld16.exe,
freddy79.exe,
photo_id.exe,
winupdate86.exe,
kwanzy131.exe,
wind7upd.exe,
mstre26.exe,
winlogon86.exe,
AVR10.exe,
webserver.exe,
ihaupd32.exe,
wyeke.exe,
wyeke.dll,
AdobeARM.exe,
WLIDSVC.EXE,
ssscheduler.exe,
getPlus_Helper.dll,
wscsvc32.exe,
zavupd32.exe,
herss.exe,
ie3sh.exe,
pp14.exe,
zwangi.exe,
msb.exe
filterpipeline..,