|Detected||Aug 25 2010 12:13 GMT|
|Released||Aug 25 2010 23:20 GMT|
|Published||Mar 23 2011 12:06 GMT|
This Trojan simulates an antivirus program to get compensated by the user for the detection and deletion of false threats. It is a Windows application (PE EXE file). It is 1 039 872 bytes in size. It is written in C++.
Once launched, the Trojan moves its original file and saves it as
%USERPROFILE%\Local Settings\Application Data\<rnd>.exewhere <rnd> is a random decimal number.
Every time when launched, the Trojan creates the following system registry key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce] "<name of original Trojan file>" = "%USERPROFILE%\Local Settings\Application Data\<rnd>.exe"This ensures that the Trojan will launch automatically each time the system is restarted.
The Trojan also creates the following shortcut:
%USERPROFILE%\Start Menu\Programs\Security Tool.lnkThe shortcut points to the object:
%USERPROFILE%\Local Settings\Application Data\<rnd>.exe
Once launched, the Trojan simulates a computer file system scan and displays information about false threats:
When trying to remove the threats displayed by the Trojan, the user will be asked to activate the program:
The sites will then be displayed where the user is asked to input the credit card information to purchase a license:
defe***tgate.com secu***soft.comDuring its operations, the Trojan prevents new processes from being launched. When the Trojan discovers a launched process, it terminates it and displays the following window:
During its operation, the Trojan displays the following messages in the notification area:
The Trojan can also display a message that program updates are available:
During its operation, the Trojan sends a request to the following address:
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
%USERPROFILE%\Local Settings\Application Data\
.exe %USERPROFILE%\Start Menu\Programs\Security Tool.lnk
" = "%USERPROFILE%\Local Settings\Application Data\ .exe"
MD5: D7F29FBD718066B0112AF79FDC656D67 SHA1: BD796ED40EC3AAB01A36E97D46F47377A0028917
This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.
This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.