Tuesday, March 31, 2009

MALWARE INFECTION THROUGH FALSE WINDOWS SECURITY CENTER

MALWARE INFECTION THROUGH FALSE WINDOWS SECURITY CENTER

The Windows Security Center or Action Center is a component included with Microsoft's Windows XP (beginning with Service Pack 2), Windows Vista and Windows 7 operating systems that provides users with the ability to view the status of computer security settings and services. Windows Security Center also continually monitors these security settings, and informs the user via a pop-up notification balloon if there is a problem. It is renamed to Action Center in Windows 7, where it covers maintenance as well as security

But here it used to show the false scan alerts& It is spreading
Winwebsec family Trojans



When the user first accesses a malicious page, It is generating fake virus alert


And it asking to install the rogue system security 2009


After Infected



More on Install.exe http://www.virustotal.com/analisis/cb066f00f4dccdd3f24f5f888843aee5

WHOIS INFORMATION:

Domain name: itsecurityscan.com

Name servers:
ns1.itsecurityscan.com
ns2.itsecurityscan.com

Registrar: Regtime Ltd.
Creation date: 2009-03-25
Expiration date: 2010-03-25

Registrant:
Jayme Millwood
Email: millwoodjaymemichael@gmail.com
Organization: Private person
Address: 1892 C Street
City: Pawtucket
State: MA
ZIP: 02860
Country: US
Phone: +1.5083997660


***** Thanks to Kalyan for his analysis *****

2 comments:

Zara said...

We have encountered what we believe is a false security programme called Personal Security which has a logo of a blue shield with a diagonal white stripe. It gives security alerts saying we are heavily infected with spyware and agressively pushes us to buy a licence. The "real" antivus software was changed recently by a computer expert friend who took off AVG and installed a free Windows version called Microsoft Security Essentials. I have run a full scan of this but the problem persists. Can you help us to remove the problem ? philippe@llantellen.com

Anushree said...

Yes based on the description you gave, it sounds like the rogueware that we came across recently. We need more details on the processes it is running, the files it is creating, any registry entries, etc. If you did not know how to get these, send us a snapshot of the tool. In one of our friends cases, he got the same rogueware when he unistalled Norton 2009. Send us a snapshot or other details and we can send you the steps to remove them.