We discovered another fake antivirus/antimalware tool late in August. The “Windows 8 Security system” claims to detect infections, and displays alerts to scare users into purchasing protection. The real infection, of course, is the Win 8 Security System itself. It’s no surprise that developers of rogue antivirus software are playing up the connection to Windows 8, which Microsoft plans to release at the end of October.
Win 8 Security System is quite similar to fake AV product Windows Ultra-Antivirus and is extremely aggressive and hard to remove. A victim’s system gets infected with Win 8 Security System after visiting an infected website. Recent exploits teach us it is easy to fall victim to rogue software like Win 8 Security System, which extort money from PC owners to “fix” their systems. McAfee Labs recommends disabling Java in your browsers and running your antimalware software with real-time protection enabled. You should also be careful with downloading files from torrents or clicking on email and chat links.
Win 8 Security System will display lots of fake alerts and messages and will show a scan window on each system boot. It will display lots of detections, though it is obvious these are fake.
Win 8 Security System alerts at the Task Bar look like this:
Even though the rogue malware will make sure that your system is compromised–so that you cannot detect and remove the infection–you should be careful of all fake security alerts and fake computer scanner reports.
It is not easy to remove Win 8 Security System. To protect its files, it comes with a rootkit, which is present in: %System%\drivers\[random2].sys, with “random2″ the filename of the rootkit, for example, %System%\drivers\142da10e6b8dcd07.sys.
The malware creates the following registry elements:
- HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication
- HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212
- HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_A7042B1
- HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_A7042B1000
- HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_A7042B1000\Control
- HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_FEC477ED59233A7A
- HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_FEC477ED59233A7A000
- HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_FEC477ED59233A7A000\Control
- HKLM\SYSTEM\ControlSet001\Services\fec477ed59233a7a
- HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_A7042B1
- HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_A7042B1000
- HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_A7042B1000\Control
- HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FEC477ED59233A7A
- HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FEC477ED59233A7A000
- HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FEC477ED59233A7A000\Control
- HKLM\SYSTEM\CurrentControlSet\Services\fec477ed59233a7a
- HKLM\SYSTEM\ControlSet002\Services\Abiosdsk\Tag: 0×00000003
- HKLM\SYSTEM\ControlSet002\Services\Abiosdsk\Type: 0×00000001
- HKLM\SYSTEM\ControlSet002\Control\CurrentUser: “USERNAME”
- HKLM\SYSTEM\ControlSet002\Control\WaitToKillServiceTimeout: “20000″
- HKLM\SYSTEM\ControlSet002\Services\NtmsSvc\Parameters\ServiceDll: “%SystemRoot%\system32\ntmssvc.dll”
- HKLM\SYSTEM\ControlSet002\Services\NtmsSvc\Parameters\ShutdownTimeout: 0×0000753
———————————-
Values added
———————————-
HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name: “ec86da9ac566d59f.exe”
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_A7042B1000\Control\*NewlyCreated*: 0×00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_A7042B1000\Control\ActiveService: “a7042b1″
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_A7042B1000\Service: “a7042b1″
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_A7042B1000\Legacy: 0×00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_A7042B1000\ConfigFlags: 0×00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_A7042B1000\Class: “LegacyDriver”
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_A7042B1000\ClassGUID: “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_A7042B1000\DeviceDesc: “ec86da9ac566d59f.exe”
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_A7042B1\NextInstance: 0×00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_FEC477ED59233A7A000\Control\*NewlyCreated*: 0×00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_FEC477ED59233A7A000\Control\ActiveService: “fec477ed59233a7a”
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_FEC477ED59233A7A000\Service: “fec477ed59233a7a”
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_FEC477ED59233A7A000\Legacy: 0×00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_FEC477ED59233A7A000\ConfigFlags: 0×00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_FEC477ED59233A7A000\Class: “LegacyDriver”
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_FEC477ED59233A7A000\ClassGUID: “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_FEC477ED59233A7A000\DeviceDesc: “ec86da9ac566d59f.exe”
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_FEC477ED59233A7A\NextInstance: 0×00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_A7042B1000\Control\*NewlyCreated*: 0×00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_A7042B1000\Control\ActiveService: “a7042b1″
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_A7042B1000\Service: “a7042b1″
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_A7042B1000\Legacy: 0×00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_A7042B1000\ConfigFlags: 0×00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_A7042B1000\Class: “LegacyDriver”
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_A7042B1000\ClassGUID: “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_A7042B1000\DeviceDesc: “ec86da9ac566d59f.exe”
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_A7042B1\NextInstance: 0×00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FEC477ED59233A7A000\Control\*NewlyCreated*: 0×00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FEC477ED59233A7A000\Control\ActiveService: “fec477ed59233a7a”
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FEC477ED59233A7A000\Service: “fec477ed59233a7a”
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FEC477ED59233A7A000\Legacy: 0×00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FEC477ED59233A7A000\ConfigFlags: 0×00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FEC477ED59233A7A000\Class: “LegacyDriver”
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FEC477ED59233A7A000\ClassGUID: “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FEC477ED59233A7A000\DeviceDesc: “ec86da9ac566d59f.exe”
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FEC477ED59233A7A\NextInstance: 0×00000001
———————————-
Files added
———————————-
C:\Documents and Settings\XXXXX\Desktop\Buy Win 8 Security System.lnk
C:\Documents and Settings\XXXXX\Desktop\Copy of 495140948.exe
C:\Documents and Settings\XXXXX\Local Settings\Application Data\ec86da9ac566d59f.exe
C:\Documents and Settings\XXXXX\Start Menu\Programs\Win 8 Security System\Buy Win 8 Security System.lnk
C:\Documents and Settings\XXXXX\Start Menu\Programs\Win 8 Security System\Launch Win 8 Security System.lnk
C:\WINDOWS\system32\drivers\fec477ed59233a7a.sys
———————————-
Folders added
———————————-
C:\Documents and Settings\XXXXX\Start Menu\Programs\Win 8 Security System
Although it is possible to manually remove Win 8 Security System, you can permanently damage your system if you make any mistakes in the process; advanced spyware parasites can often automatically repair themselves if they are not completely removed. Thus, we recommend manual spyware removal only for experienced users, such as IT specialists or highly qualified system administrators. For other users, we recommend your desktop security software. McAfee identifies and deletes this infection as “Win 8 Security System.”
The Win 8 Security System is typical rogue, or fake, antivirus software. After infecting a user’s system, this malware scares its victim into buying the “product” by displaying fake security messages, stating that the computer is infected with spyware or other malware and only this product can remove it after you download the trial version. As soon as the victim downloads Win 8 Security System, it pretends to scan your computer and shows a grossly exaggerated amount of nonexistent threats. Then, Win 8 Security System recommends the victim buy the full version to fix these false errors. If the user agrees, Win 8 Security System not only “fixes” the errors, but it also takes the user’s money and may even install additional spyware onto the victim’s computer.
Thanks to my colleague Niranjan Jayanand for the sample.