Warning: New Security Essential Variant

By Crescencio Reyes – PC Tools Malware Research Team

There has been an update to the current widespread Security Essential rogue malware. Like the previous variant, it still exhibits the same behavior. Upon running the binary, it will present you with a fake warning window showing that your computer is infected.

Figure 1: Warning window

Clicking on “Scan Online” will show a list of other legitimate security vendors allegedly detecting the threat along with other rogue malwares offering free installation.

Figure 2: Pretending to do a scan using different products

Figure 3: Autorun entries added in the system

Here we can see the autorun entries added by the rogue malware to an infected system. The file hotfix.exe is the actual rogue malware binary, where the 42004.js file is an obfuscated downloader script.

Figure 4: Obfuscated JavaScript file

Figure 5: Decoded JavaScript file

The website pointed by the downloader script is already blocked by Site Guard.

Figure 6: Running process with a script interpreter

Figure 7: Wscript running the downloader JavaScript file

Figure 8: Dropped files in the system

Threat Expert Report


Manual Removal

Security Essential creates or drops files in the following locations:

C:Documents and Settings<username>Application Datahotfix.exe

C:Documents and Settings<username>Application Data?????.js (where ????? are random numbers)

C:Documents and Settings<username>Application Data jsdfgs.bat

It creates the following registry keys:


s = wscript.exe “C:Documents and SettingsrdApplication Data42004.js”

HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon

Shell = C:Documents and Settings<username>Application Datahotfix.exe

To remove the threat, delete the above mentioned registry and files.

WARNING: Editing the registry incorrectly can cause serious problems that may require you to reinstall Windows. PC Tools cannot guarantee that problems resulting from the incorrect editing of the registry can be solved. Edit the registry at your own risk or refer to our malware removal forum for guidance.

This entry was posted in Malware Alerts and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>