Difference between revisions of "Internet Security 2012 Virus"

From Free Knowledge Base- The DUCK Project: information for everyone
Jump to: navigation, search
Line 11: Line 11:
 
This rogue was fist spotted in 2010 and as of the end of 2011 there are over 60 reported variants.
 
This rogue was fist spotted in 2010 and as of the end of 2011 there are over 60 reported variants.
  
 +
== Pathology ==
  
 +
You will find the rogue process executable deposited in the following path:
 +
C:\Documents and Settings\<username>\Local Settings\Application Data\
 +
There is typically a single executable, however, the name is inconsistent but tends to be three characters in the filename before the extension.  Examples:
 +
kjm.exe
 +
mdm.exe
 +
 +
Registry keys impacted
 +
 +
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'
 +
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = '1'
 +
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = '1'
 +
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe"'
 +
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode'
 +
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe"'
 +
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation "TLDUpdates" = '1'
 +
HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'
 +
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'
 +
HKEY_CURRENT_USER\Software\XP Internet Security 2012
 +
HKEY_LOCAL_MACHINE\SOFTWARE\XP Internet Security 2012
 +
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XP Internet Security 2012
  
 
&nbsp;
 
&nbsp;

Revision as of 10:53, 17 December 2011

This new Rogue Antivirus malware has surfaced in 2011 and is more aggressive than predecessors like the older A-Fast Antivirus Scam. It is particularly dangerous because, even in Mozilla Firefox, it can install automatically and infect your computer. As always with Microsoft Internet Explorer, it is the most susceptible to this type of malware.

Those vulnerable tend to be individuals doing internet searches, clicking on links to unknown sites. This can be information searches or image searches. As always, those seeking pornography tend to be the most likely to encounter this malware, however, standard clipart searches on Google Images, or other standard user searches is also encountering this malware.

There are variants. The first incarnations of this Rogue Antivirus were less aggressive in that the user had to click on a pseudo button or link to install the virus. The most recent variants will automatically install, override Windows security center, and cripple the operating system by diverting the .exe (executable) file type association. The common browsers, including Microsoft Internet Explorer, Mozilla Firefox, and Google Chrome all are hijacked. The user cannot run common executable, such as the Windows Registry Editor or System Restore, and the web browsers are unable to navigate to web sites. The level of infiltration depends on the variant and how the user responds.

Internet Security 2012 is only one of the names this rogue uses. It is a name changing rogue. Some of the known variants are listed here:
XP Antispyware 2012, Vista Antispyware 2012, Win 7 Antispyware 2012, XP Antivirus 2012, Vista Antivirus 2012, Win 7 Antivirus 2012 XP Security 2012, Vista Security 2012, Win 7 Security 2012, XP Home Security 2012, Vista Home Security 2012, Win 7 Home Security 2012, XP Internet Security 2012, Vista Internet Security 2012, Win 7 Internet Security 2012

This rogue was fist spotted in 2010 and as of the end of 2011 there are over 60 reported variants.

Pathology

You will find the rogue process executable deposited in the following path:

C:\Documents and Settings\<username>\Local Settings\Application Data\

There is typically a single executable, however, the name is inconsistent but tends to be three characters in the filename before the extension. Examples:

kjm.exe
mdm.exe

Registry keys impacted

HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = '1'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = '1'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe"'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe"'
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation "TLDUpdates" = '1'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'
HKEY_CURRENT_USER\Software\XP Internet Security 2012
HKEY_LOCAL_MACHINE\SOFTWARE\XP Internet Security 2012
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XP Internet Security 2012