Internet Security 2012 Virus

Revision as of 11:59, 17 December 2011 by Admin (Talk | contribs)

This new Rogue Antivirus malware has surfaced in 2011 and is more aggressive than predecessors like the older A-Fast Antivirus Scam. It is particularly dangerous because, even in Mozilla Firefox, it can install automatically and infect your computer. As always with Microsoft Internet Explorer, it is the most susceptible to this type of malware.

Those vulnerable tend to be individuals doing internet searches, clicking on links to unknown sites. This can be information searches or image searches. As always, those seeking pornography tend to be the most likely to encounter this malware, however, standard clipart searches on Google Images, or other standard user searches is also encountering this malware.

There are variants. The first incarnations of this Rogue Antivirus were less aggressive in that the user had to click on a pseudo button or link to install the virus. The most recent variants will automatically install, override Windows security center, and cripple the operating system by diverting the .exe (executable) file type association. The common browsers, including Microsoft Internet Explorer, Mozilla Firefox, and Google Chrome all are hijacked. The user cannot run common executable, such as the Windows Registry Editor or System Restore, and the web browsers are unable to navigate to web sites. The level of infiltration depends on the variant and how the user responds.

Internet Security 2012 is only one of the names this rogue uses. It is a name changing rogue. Some of the known variants are listed here:
XP Antispyware 2012, Vista Antispyware 2012, Win 7 Antispyware 2012, XP Antivirus 2012, Vista Antivirus 2012, Win 7 Antivirus 2012 XP Security 2012, Vista Security 2012, Win 7 Security 2012, XP Home Security 2012, Vista Home Security 2012, Win 7 Home Security 2012, XP Internet Security 2012, Vista Internet Security 2012, Win 7 Internet Security 2012

This rogue was fist spotted in 2010 and as of the end of 2011 there are over 60 reported variants.

Pathology

You will find the rogue process executable deposited in the following path: 

C:\Documents and Settings\<username>\Local Settings\Application Data\

There is typically a single executable, however, the name is inconsistent but tends to be three characters in the filename before the extension. Examples: 

kjm.exe
kdn.exe
mdm.exe

Registry keys impacted 

HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = '1'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = '1'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe"'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe"'
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation "TLDUpdates" = '1'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'
HKEY_CURRENT_USER\Software\XP Internet Security 2012
HKEY_LOCAL_MACHINE\SOFTWARE\XP Internet Security 2012
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XP Internet Security 2012

Removal

It is possible to remove this malware without downloading any special removal tool. It was accomplished in our lab by using tools included with Microsoft Windows XP.

  • regedit.exe
  • System Restore
  • Task Manager

An overview of the process involved using task manager to kill the rogue process from memory, repeatedly, throughout the rest of the procedure. The process restarts every 30 seconds or so, and must continuously be killed. Using the Windows Registry editor to remove the keys above. Navigating to the Application Data folder for every user and deleting the rogue executable. Reboot. Open file type associations and create new association for exe extension as "Application". Creating a shortcut on the windows desktop to System Restore, right clicking on the shortcut, and running it as "Administrator". Restoring to a checkpoint prior to the introduction of the rogue on the system.

Process Explained in detail:

Since it was impossible to run System Restore after the malware manipulated file type association for exe it had to be ran via a trick as described above. (more detail needed)

Prevention:

NoScript plugin for Firefox

 

 

Last modified on 17 December 2011, at 11:59