Video Screencast Help

Ukash / False Windows Update malware / virus

Created: 02 May 2012 • Updated: 02 May 2012 | 3 comments
jocham-it's picture

Hi there,

how can it be that a XP PC with current Windows Updates and current pattern files with Endpoint Protection gets infected with this malware, which changes the registry at [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] “Shell”=”explorer.exe“ to a different value.

Thanks for any updates,


Discussion Filed Under:

Comments 3 CommentsJump to latest comment

greg12's picture

Probably because the virus is rapidly mutating and definitions aren't present yet. Sounds a bit like the BKA/GEMA ransomware family which is highly "popular" for the time being, such as Trojan.Ransomgerpo.

You can send the suspicious file to Symantec:

To protect PCs, you can create an Application Control rule preventing the change of the mentioned registry key. Furthermore, Intrusion Prevention may help to detect suspicious packets while they are downloaded.

Mithun Sanghavi's picture


In your case, there are few things to look at:

1) Are the XP machines, installed with all feature set and carry the Latest definitions on them?

2) Is Symantec Detecting any Threat or Suspicious Files?

I would suggest you to follow the steps below:

1) Follow the Steps provided in the Article below:

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

2) Apply an Application and Device Control Policy for Hardening Symantec Endpoint Protection (SEP)

How the Application and Device Control Hardening policy works

Hope that helps!!

Mithun Sanghavi
Associate Security Architect


Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

cus000's picture


There are some factor that sometimes we missed out,

1) Malware writer nowdays did not only exploit OS Level (Windows), but other component as Flash, Adobe etc

2) Variant (could be by pollymorphic or obfuscation), e.g - if AV rely on traditional pattern for certain malware detection... then this method will easily bypass the protection as it doesn't have pattern to detect it yet...

Mind sharing the specific threat name? Is it Ukash? Also you may want to read about Symantec detection for fake AV: