1

Rogue Malware Alert – AntiSpy Safeguard aka Security Essential

By Alan Lee – PC Tools Malware Research Center

Security Essential is a rogue security application that attempts to falsely detect malware on victim’s computer and prompts victim to pay for removal of those false detections. What is interesting about Security Essentials is the way they entice users to install their rogue application. Security Essential when execute will first pop up a window which looks similar to Microsoft Security Essential (this is legitimate application from Microsoft), informing the user that the computer is infected with malware.

security essentials virus screenshot
Figure. 1 Fake Security Essential alert


security essentials virus screenshot
Figure 2. Real Microsoft Security Essential (does it look similar?)

Once the user click down further to clean the “infected” computer, the user will see
security essentials virus screenshot
Figure 3. A list of antivirus solutions vendors

which shows a list of other popular antivirus solutions together with 5 rogue security applications.

  • Antispy Spysafe
  • Major Defense Kit
  • Peak Protection
  • Pest Detector
  • Red Cross

A fake scan will proceed when user clicks “Start Scan” and eventually user will see a screen like this.

security essentials virus screenshot
Figure 4. Fake Scan “featuring” other security vendors

If user clicks on “Free install”, the  malware will “attempt” to download a copy of the 5 chosen rogue application.

security essentials virus screenshot
Figure 5. Fake download of rogue security application

Once the fake download is completed, the installation of the rogue security applications will then proceed just like any other application installation.

security essentials virus screenshot
Figure 6. Antispy Safeguard setup wizard (Can you find the spelling mistake?)

security essentials virus screenshot
Figure 7. License Agreement

security essentials virus screenshot
Figure 8. Successful installation

security essentials virus screenshot
Figure 9. Safe startup

security essentials virus screenshot
Figure 10. License center for payment

security essentials virus screenshot
Figure 11. Fake scan screen of Security Essential

Once installed, Security Essential will reboot the computer and then perform a fake scan.

It also prevents web browsers (e.g. Internet Explorer, Firefox, Chrome) and other applications such as taskmgr.exe from functioning.

ThreatExpert reports

http://www.threatexpert.com/report.aspx?md5=ce8a9adb741fe35751d777bb4157ff02

http://www.threatexpert.com/report.aspx?md5=cc3ac010111bf3af9ad7743f58766605

Manual removal of Security Essential

Security Essential creates or drops files in the following locations:-

  • C:Documents and Settings<username>Application Datahotfix.exe
  • C:Documents and Settings<username>Application Dataantispy.exe
  • C:Documents and Settings<username>Local SettingsTemp??????.bat [note: ?????? are random alphabets]

It also creates the following registry keys:-

  • HKEY_CURRENT_USERSoftware??? [note: ?????? are random alphabets]
  • HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon

Shell = “%AppData%hotfix.exe”

  • HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon]

Shell = “%AppData%antispy.exe”

To remove the threat, delete the above mentioned registry key values and files.

WARNING: Editing the registry incorrectly can cause serious problems that may require you to reinstall Windows. PC Tools cannot guarantee that problems resulting from the incorrect editing of the registry can be solved. Edit the registry at your own risk or refer to our malware removal forum for guidance.

If you would like to a personal guidance please open a post in the following forum:

http://www.pctools.com/forum/forumdisplay.php?f=82

More screenshots:-

security essentials virus screenshot

security essentials virus screenshot

security essentials virus screenshot

security essentials virus screenshot

security essentials virus screenshot

This entry was posted in Malware Alerts and tagged . Bookmark the permalink.

One Response to Rogue Malware Alert – AntiSpy Safeguard aka Security Essential

  1. livelybrowsers says:

    Thanks for good stuff

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>