By Crescencio Reyes – PC Tools Malware Research Team
There has been an update to the current widespread Security Essential rogue malware. Like the previous variant, it still exhibits the same behavior. Upon running the binary, it will present you with a fake warning window showing that your computer is infected.
Figure 1: Warning window
Clicking on “Scan Online” will show a list of other legitimate security vendors allegedly detecting the threat along with other rogue malwares offering free installation.
Figure 2: Pretending to do a scan using different products
Figure 3: Autorun entries added in the system
Here we can see the autorun entries added by the rogue malware to an infected system. The file hotfix.exe is the actual rogue malware binary, where the 42004.js file is an obfuscated downloader script.
The website pointed by the downloader script is already blocked by Site Guard.
Figure 6: Running process with a script interpreter
Figure 8: Dropped files in the system
Threat Expert Report
Security Essential creates or drops files in the following locations:
C:Documents and Settings<username>Application Datahotfix.exe
C:Documents and Settings<username>Application Data?????.js (where ????? are random numbers)
C:Documents and Settings<username>Application Data jsdfgs.bat
It creates the following registry keys:
s = wscript.exe “C:Documents and SettingsrdApplication Data42004.js”
Shell = C:Documents and Settings<username>Application Datahotfix.exe
To remove the threat, delete the above mentioned registry and files.
WARNING: Editing the registry incorrectly can cause serious problems that may require you to reinstall Windows. PC Tools cannot guarantee that problems resulting from the incorrect editing of the registry can be solved. Edit the registry at your own risk or refer to our malware removal forum for guidance.