HOME > VIRUS ALERTS


VIRUS ALERTS

Rouge Antivirus " Personalsecurity "

Original issue date: March 11, 2010

It has been observed that a program Personalsecurity is circulating widely. It is a rogue security program that display fake warning messages indicating that” spyware or malware has been detected on the machine” in order to convince users to purchase rogue security software. It may be dropped by malwares downloaded from a remote sites. It installs a BHO object on the victim machine.

Aliases:

Trojan:Win32/FakeXPA (Microsoft) , Adware.Win32.PersonalSecurity(a-squared), Personal Security (other)

The activities of Personalsecurity upon execution:

  • Creates the following files
    • %ProgramFiles%PSecuritypsecurity.exe
    • %ProgramFiles%Common FilesPSecurityUninstallUninstall.lnk
    • %SystemRoot%system32win32extension.dll
    • %AllUsersProfile%Start MenuPSecurityHelp.lnk
    • %AllUsersProfile%Start MenuPSecurityPersonal Security.lnk
    • %AllUsersProfile%Start MenuPSecurityRegistration.lnk
    • %AllUsersProfile%Start MenuPSecuritySecurity Center.lnk
    • %AllUsersProfile%Start MenuPSecuritySettings.lnk
    • %AllUsersProfile%Start MenuPSecurityUpdate.lnk
    • %AllUsersProfile%Start MenuPSecurityComputer Scan.lnk
    • %UserProfile%Application DataMicrosoftInternet ExplorerQuick LaunchPSecurity.lnk

  • Create the following registry keys
    • KEY_LOCAL_MACHINE\software\256537C7AD95AFE
      5C50084ABD7767AE9
    • HKEY_LOCAL_MACHINE\software\Classes\clsid\
      {35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
    • HKEY_LOCAL_MACHINE\software\Classes\clsid\
      {35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}\
      InprocServer32
    • HKEY_LOCAL_MACHINE\software\microsoft\Windows\
      CurrentVersion\Explorer\Browser Helper Objects\
      {35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
    • HKEY_CURRENT_USER\software\Microsoft\Windows\
      CurrentVersion\Uninstall\PSecurity
    • HKEY_CURRENT_USER\software\Microsoft\Windows\
      CurrentVersion\Run\PSecurity

  • Creates a system-tray icon

  • Diaplay an error message when tries to run in Virtual machine

  • Connects to a remote server "safetey . updated . com" to download further files.

  • Displays the fake scanning messages



  • If user proceeds with removal, user is presented with “registration” window :

  • Displays an imitation " Security Center "


Removal

  • Temporarily Disable System Restore
  • Update the virus definitions.
  • Reboot computer in SafeMode
  • Run a full system scan and clean/delete all infected file(s)
  • Delete/Modify any values added to the registry

In view of rapid propagation of the rouge personalsecurity users are advised to implement the following countermeasures:

  • Exercise caution while opening e-mail attachments received from unknown sources.
  • Use caution when clicking on links to Web pages.
  • Keep up-to-date patches and fixes on the operating system and application software.
  • Keep up-to-date Antivirus and Antispyware signatures

References

http://www.microsoft.com/security/portal/Threat/Encyclopedia/
Entry.aspx?Name=PersonalSecurity
http://forums.malwarebytes.org/index.php?showtopic=36703

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003