Advisories
Vulnerability Database
PoC
Viruses
Research Lab

VirusProtector

09 march, 2010

VirusProtector


Updated: March 8, 2010 4:19:59 PM
Type: Misleading Application
Name: VirusProtector
Version: 1.0.0.1
Risk Impact: Medium
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

SUMMARY

Behavior

VirusProtector is a misleading application that may give exaggerated reports of threats on the computer.

Protection

  • Initial Rapid Release version March 8, 2010 revision 016
  • Latest Rapid Release version March 8, 2010 revision 016
  • Initial Daily Certified version March 8, 2010 revision 033
  • Latest Daily Certified version March 8, 2010 revision 033
  • Initial Weekly Certified release date March 10, 2010

TECHNICAL DETAILS

Behavior
The program must be manually installed.

It can be downloaded from the following location:
[http://]antivpc.com

The program reports false or exaggerated system security threats on the computer.





Fake Detection Names
The program may falsely report detections of the following threats:





The user is then prompted to pay for a full license of the application in order to remove the threats.

The program may also display the following fake error messages:








Installation
When the program is executed, it creates the following folder:
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012010030820100309

It also creates the following files:
  • C:\WINDOWS\Prefetch\1.EXE-335C5EEA.pf
  • C:\WINDOWS\system32\drivers\[RANDOM FILE NAME].exe
  • C:\WINDOWS\system32\drivers\[RANDOM FILE NAME].dll
  • C:\WINDOWS\system32\[RANDOM FILE NAME].exe
  • C:\WINDOWS\system32\[RANDOM FILE NAME].dll
  • C:\WINDOWS\[RANDOM FILE NAME].exe
  • C:\WINDOWS\[RANDOM FILE NAME].dll


Next, the program deletes the following folders:
  • C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008011620080117
  • C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008011720080118


It also deletes the following file:
C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_e38.dat

The program then modifies the following files:
  • C:\Documents and Settings\Administrator\Cookies\index.dat
  • C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
  • C:\Documents and Settings\Administrator\ntuser.dat.LOG
  • C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
  • C:\WINDOWS\Prefetch\PERL.EXE-08A6F3BE.pf
  • C:\WINDOWS\Prefetch\REGSHOT.EXE-2A173C98.pf
  • C:\WINDOWS\system32\config\software.LOG
  • C:\WINDOWS\system32\config\system.LOG


Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shelly" = "Explorer.exe"

It also creates the following registry entries:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA" = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\"LoadAppInit_DLLs" = "1"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\"C:\INF\1.exe" = "VirusProtector Application"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\"HRZR_EHACNGU:P:\VAS\1.rkr" "1B 00 00 00 06 00 00 00 A0 F0 A0 6C C2 BE CA 01"


The program then creates the following registry subkey:
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010030820100309

Next, the program deletes the following registry subkeys:
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008011620080117
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008011720080118


It may then modify the following registry entries:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\"Directory" = "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\"Directory" = "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\"CachePath" = "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\"CachePath" = "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\"CachePath" = "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\"CachePath" = "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\"CachePath" = "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\"CachePath" = "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\"CachePath" = "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\"CachePath" = "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MSSYCLM\"Start" = "0x389F0129"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MSSYCLM\"Start" = "0x8824EF45"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs" = ""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs" = "aLslnAJQD.dll"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\"HRZR_EHACNGU" = "1A 00 00 00 A6 01 00 00 90 50 33 F9 94 00 CA 01"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\"HRZR_EHACNGU" = "1B 00 00 00 A7 01 00 00 B0 A6 9E 6C C2 BE CA 01"

Cisco Security Advisory: Cisco Security Agent Remote Code Execution Vulnerabilities

Cisco Security Agent is affected by vulnerabilities that could allow an unauthenticated attacker to ...

27 october, 2011

Cisco Security Advisory: Denial of Service Vulnerability in Cisco Video Surveillance IP Cameras

A denial of service (DoS) vulnerability exists in the Cisco Video Surveillance IP Cameras 24 ...

27 october, 2011

Cisco Security Advisory: Cisco Unified Contact Center Express Directory Traversal Vulnerability

Cisco Unified Contact Center Express (UCCX or Unified CCX) and Cisco Unified IP Interactive ...

27 october, 2011

MS12-007: Vulnerability in AntiXSS Library Could Allow Information Disclosure (2607664)

This security update resolves one privately reported vulnerability in the Microsoft Anti-Cross Site ...

10 january, 2012

MS12-006: Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584)

This security update resolves a publicly disclosed vulnerability in SSL 3.0 and TLS 1.0.

10 january, 2012

MS12-005: Vulnerability in Microsoft Windows Could Allow Remote Code Execution (2584146)

This security update resolves a privately reported vulnerability in Microsoft Windows.

10 january, 2012

CVE-2012-1018

Cross-site scripting (XSS) vulnerability in includes/convert.php in D-Mack Media Currency Converter (mod_currencyconverter) module 1.0.0 for Joomla! allows remote attackers to inject arbitrary web script or HTML via the from parameter.

National Vulnerability Database 07 february, 2012

CVE-2011-3971

Use-after-free vulnerability in Google Chrome before 17.0.963.46 allows user-assisted remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to mousemove events.

National Vulnerability Database 08 february, 2012

CVE-2011-3970

libxslt, as used in Google Chrome before 17.0.963.46, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.

National Vulnerability Database 08 february, 2012

CVE-2011-3969

Use-after-free vulnerability in Google Chrome before 17.0.963.46 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to layout of SVG documents.

National Vulnerability Database 08 february, 2012

CVE-2011-3968

Use-after-free vulnerability in Google Chrome before 17.0.963.46 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving Cascading Style Sheets (CSS) token sequences.

National Vulnerability Database 08 february, 2012

CVE-2011-3967

Unspecified vulnerability in Google Chrome before 17.0.963.46 allows remote attackers to cause a denial of service (application crash) via a crafted certificate.

National Vulnerability Database 08 february, 2012

CVE-2011-3966

Use-after-free vulnerability in Google Chrome before 17.0.963.46 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to error handling for Cascading Style Sheets (CSS) token-sequence data.

National Vulnerability Database 08 february, 2012

CVE-2011-3965

Google Chrome before 17.0.963.46 does not properly check signatures, which allows remote attackers to cause a denial of service (application crash) via unspecified vectors.

National Vulnerability Database 08 february, 2012

CVE-2012-1035

AdaCore Ada Web Services (AWS) before 2.10.2 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

National Vulnerability Database 08 february, 2012

CVE-2012-1034

Multiple cross-site scripting (XSS) vulnerabilities in the admin interface in EPiServer CMS through 6R2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

National Vulnerability Database 08 february, 2012

CVE-2012-1033

The resolver in ISC BIND 9 through 9.8.1-P1 does not properly implement a cache update policy, which allows remote attackers to trigger continued resolvability of domain names that are no longer registered via an unspecified "Ghost Names exploit."

National Vulnerability Database 08 february, 2012

CVE-2012-1031

Unspecified vulnerability in EPiServer CMS 5 and 6 through 6R2, in certain configurations using Forms Authentication, allows remote authenticated users to obtain WebAdmins access by leveraging Edit Mode privileges, a different vulnerability than CVE-2011-3416 and CVE-2011-3417.

National Vulnerability Database 07 february, 2012

CVE-2012-1008

OfficeSIP Server 3.1 allows remote attackers to cause a denial of service (daemon crash) via a crafted To header in a SIP INVITE message.

National Vulnerability Database 07 february, 2012

CVE-2012-0980

SQL injection vulnerability in download.php in phux Download Manager allows remote attackers to execute arbitrary SQL commands via the file parameter.

National Vulnerability Database 02 february, 2012

CVE-2012-0928

The ATRAC codec in RealNetworks RealPlayer 11.x and 14.x through 14.0.7, RealPlayer SP 1.0 through 1.1.5, and Mac RealPlayer 12.x before 12.0.0.1703 does not properly decode samples, which allows remote attackers to execute arbitrary code via a crafted ATRAC audio file.

National Vulnerability Database 08 february, 2012
Search
Sun Microsystems

This Alert covers CVE-2010-0896 for the mail component of the Sun Convergence product

This Sun Alert covers CVE-2010-0896 for the mail component of the Sun Convergence product.

14 april, 2010

This Alert Covers CVE-2010-0893 for the Mail Component of the Sun Convergence Product

This Alert covers CVE-2010-0893 for the mail component of the Sun Convergence product.

14 april, 2010

SunOS 5.10_x86: ucode driver patch

6905530 processor microcode code can panic when retrieving microcode revision.

02 february, 2010

Red Hat

[RHSA-2010:1003-01] Moderate: git security update

Red Hat Security Advisory - Moderate: git security update

21 december, 2010

[RHSA-2010:1002-01] Moderate: mod_auth_mysql security update

Red Hat Security Advisory - Moderate: mod_auth_mysql security update

21 december, 2010

[RHSA-2010:1000-01] Important: bind security update

Red Hat Security Advisory - Important: bind security update

20 december, 2010

РоС

MS12-004 midiOutPlayNextPolyEvent Heap Overflow Exploit

Target: Microsoft Windows Media
Impact: Code execution

ActFax Server FTP RETR Remote Buffer Overflow Exploit

Target: ActFax Server 4.27 Build 0223 and previous versions
Impact: Arbitrary commands execution

ActFax Server (LPD/LPR) Remote Buffer Overflow Exploit

Target: ActFax Server 4.27 Build 0223 and previous versions
Impact: Arbitrary commands execution

AdvertismentAbout ProjectContact UsCopyrightExportRSSMy SettingsMap