||||
Symantec.com > Business > Security Response > MalWarrior
PRINT THIS PAGE

MalWarrior

Printer Friendly Page

Updated: October 4, 2007 3:03:40 PM
Type: Misleading Application
Name: MalWarrior
Publisher: ADSL Software Limited
Risk Impact: High
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

Behavior
The program must be manually installed.

When it is executed and a scan is run, it displays exaggerated reports of errors on the computer.





The risk also displays a registration screen, asking the user to register the software to remove the falsely reported threats.





Installation
When the program is executed, it creates the following files:
  • %ProgramFiles%\MalWarrior 2007\MWLauncher.exe
  • %ProgramFiles%\MalWarrior 2007\unins000.dat
  • %ProgramFiles%\MalWarrior 2007\unins000.exe
  • %UserProfile%\Application Data\Adsl Software Limited\MalWarrior 2007\BASE\vbase.dat
  • %UserProfile%\Application Data\Adsl Software Limited\MalWarrior 2007\MalWarrior.exe
  • %UserProfile%\Application Data\Adsl Software Limited\MalWarrior 2007\program.ini
  • C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2007\BASE\vbase.dat
  • C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2007\MalWarrior.exe
  • C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2007\program.id
  • C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2007\program.ini
  • C:\Documents and Settings\All Users\Desktop\MalWarrior 2007.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\MalWarrior 2007\MalWarrior 2007.lnk


It also creates files using the date as the name in the following folder:
%UserProfile%\Application Data\Adsl Software Limited\MalWarrior 2007\LOG

Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_USERS\[ALL USERS]\Software\Microsoft\Windows\CurrentVersion\Run\"MalWarrior" = ""C:\Documents and Settings\Administrator\Application Data\Adsl Software Limited\MalWarrior 2007\MalWarrior.exe" /autorun"

It also creates the following registry subkeys:
  • HKEY_USERS\[ALL USERS]\Software\Adsl Software Limited
  • HKEY_USERS\[ALL USERS]\Software\Adsl Software Limited\MalWarrior 2007
  • HKEY_USERS\[ALL USERS]\Software\Adsl Software Limited\MalWarrior 2007\4.0
  • HKEY_USERS\[ALL USERS]\Software\Adsl Software Limited\MalWarrior 2007\4.0\config
  • HKEY_CLASSES_ROOT\TacOnlyOne
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MalWarrior 2007_is1
Search by name
Example: W32.Beagle.AG@mm
Symantec DeepSight Screensaver
©1995 - 2010 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS