MalwareDisasters is a division of MalwareIntelligence. In the same test information is captured about the behavior of malicious code, and also offering the necessary countermeasures to mitigate the malicious actions in question.

12.26.2009

Desktop Hijack by Internet Security 2010. Your System Is Infected!

The Desktop Hijack is to "hijack" the desktop background, changing the image and blocking its configuration defined in a way that this can not be restored. This is a clear indication that the system was the victim of a malicious code, a kind of rogue, also known as scareware.

Internet Security 2010 is a rogue who performs this activity. The same is distributed through a crimeware called Siberia Exploit Pack. Below is a screenshot of the Desktop Hijack.

When this malware infects your system, then block the Desktop background settings, installs in the Program Files folder. This threat is aimed at Windows platforms infection in English, so that those who have Spanish versions aren't affected. We then see a screenshot of the interface of the rogue.

Each particular seconds, deploy dissuasive actions designed to generate "fear" in the user through warnings about malicious activity generated by alleged infections. Some of the warnings are:

In order for the user, looking for a solution to the alleged problems of infection, finish buying the full version of the antivirus program. To which, in this instance, you must access via a web form from which you request the "product", even, in some cases you may find advice in real time.

This modus operandi is common and is a rogue employer, including "purchase form" that in many cases until they are supported by https. In this case, Internet Security 2010, is marketed at a cost of nearly USD 50, so if you believe that its spread is related to a botnet, is easy to deduce the amount of money that criminals get through this type of activities.


Countermeasures
Terminate the processes called winupdate86.exe and IS2010.exe (eventually you can find the process winlogon86.exe).
NOTE: The malware can deshactiva conventionally access to cmd, registry and the Task Manager, therefore, to complete the process easily recommend using Process Explorer.

Then, access the system registry and delete the following keys:
In HKLM\Software\Microsoft\Windows\CurrentVersion\Run delete the key Internet Security 2010.
Under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run delete the key winupdate86.exe.
Under HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Userinit change the call reference that points to C:\WINDOWS\system32\winlogon86.exe with C:\WINDOWS\system32\userinit.exe.

Unregister the dll call winhelper86.dll
NOTE: To perform this action you must access the Start/Run/cmd and type regsvr32 /u [dll name].

Delete the folder InternetSecurity2010 located at C:\Program Files, and files 41.exe (this number may vary found files with numeric names such as 5705.exe, 28145.exe, etc.), winhelper86.dll, winlogon86.exe and winupdate86.exe found in C:\WINDOWS\system32\.

Remove also the direct link called Internet Security 2010 which is on the Desktop and reboot the machine.

Install and run an updated antivirus

Malware Disasters Team

0 comentarios:

Post a Comment