This was performed on a virtual machine
__________________________________________________________________________________
 |
| MBAM |
Registry Keys Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Security Monitor 2012 (Trojan.FakeAlert) -> Quarantined and deleted successfully.Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|jo50nluvu7bb (Trojan.FakeAlert) -> Data: C:\Documents and Settings\infectedxp\Desktop\e8c572741be7ef52e20e97b91a780ec1.exe -> Quarantined and deleted successfully.
Files Detected: 7
C:\Documents and Settings\infectedxp\Desktop\e8c572741be7ef52e20e97b91a780ec1.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\Documents and Settings\infectedxp\Application Data\Security Monitor 2012\Security Monitor.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\infectedxp\Application Data\Security Monitor 2012\securityhelper.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\infectedxp\Application Data\Security Monitor 2012\securitymanager.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\infectedxp\Local Settings\temp\ppddfcfux.exxe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\infectedxp\Local Settings\temp\w32rim_mem.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\infectedxp\Local Settings\temp\wrfwe_di.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
__________________________________________________________________________________
 | |||
| MGtools |
SECURI~1 Feb 9 2012 "Security Monitor 2012"
Directory of C:\Documents and Settings\infectedxp\Application Data\Security Monitor 2012
02/09/2012 01:14 AM <DIR> .
02/09/2012 01:14 AM <DIR> ..
02/01/2012 04:43 AM 894 IcoActivate.ico
02/01/2012 04:43 AM 894 IcoHelp.ico
02/01/2012 04:43 AM 894 IcoUninstall.ico
3 File(s) 2,682 bytes
2 Dir(s) 7,837,241,344 bytes free
"C:\Documents and Settings\infectedxp\Desktop\"
securi~1.lnk Feb 9 2012 1940 "Security Monitor 2012.lnk"
"C:\Documents and Settings\infectedxp\Start Menu\Programs\"
SECURI~1 Feb 9 2012 "Security Monitor 2012"
securi~1.lnk Feb 9 2012 1940 "Security Monitor 2012.lnk"
__________________________________________________________________________________
Notes:
You can kill all 3 bad processes within the Task Manager:
- Security Monitor.exe
- securityhelper.exe
- securitymanager.exe
Among the many pop-ups and warnings from 3 different processes, there is also embedded audio into the Security Monitor.exe file / process. It's a female voice that constantly blurts out something along the lines of "Infection found". It is highly advisable to turn your volume down if you are having trouble stopping the processes quickly :-)
Also I find it important to note that there is a bad registry entry that only wants to execute the bad .exe you downloaded. In my case it was: e8c572741be7ef52e20e97b91a780ec1.exe. You can see that this file is on my desktop.
This is the .exe that spawns the other 3 bad processes mentioned above. So upon every reboot, if this registry value is there (as well as the .exe it points to), it will recreate all 3 bad files in %appdata%.
___________________________________________________________________________________
No comments:
Post a Comment