1. /
  2. Security Response/
  3. SecurityRisk.Settec

SecurityRisk.Settec

Updated:
February 13, 2007 11:48:39 AM
Type:
Other
Infection Length:
827,392 bytes
Risk Impact:
Low
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When a DVD containing SecurityRisk.Settec is run, the clean autorun installer performs the following actions:
  1. Creates the following files:

    • %Temp%\tmpagt.exe
    • %Temp%\HADL.DLL
    • %Temp%\cmtl.dat

  2. Displays the following message, which is an End User License Agreement:



  3. Creates and executes the following files, if the user agrees to install the protection action:

    • %System%\[RANDOM FILE NAME].exe
    • %System%\HADL.DLL
    • %System%\cmtl.dat

      Note:
    • A copy of %System%\[RANDOM FILE NAME].exe is also present on the DVD protected by Settec Alpha-DVD as alpha.dat. This file will be detected by the Symantec antivirus program every time a DVD protected by Settec Alpha-DVD is inserted into the DVD drive. The file cannot be deleted by the Symantec antivirus program as the DVD drive is a read-only media.
    • Warning messages may be displayed by the Symantec antivirus program every time one of the above files is accessed. Users will be able to view the DVD as normal using any DVD player application.

Once SecurityRisk.Settec is installed on the computer, it performs the following actions:

  1. Adds the value:

    "SystemManager" = "%SYSTEM%\[RANDOM FILE NAME].EXE"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \policies\Explorer\Run


    so that the risk starts every time Windows starts.

  2. Uses user-mode rootkit techniques to hide its executable file from the processes list.

    Note: This can be exploited by malware to hide any malicious processes.

  3. Uses user-mode rootkit techniques to prevent access to files in the following folders on the DVD drive:

    • VIDEO_TS
    • AUDIO_TS

      Note:
    • This rootkit technology can also be used by malware to block access malicious files placed in the above folders, both on the DVD drive and on the hard drive of the computer.
    • A malicious attacker could also exploit this rootkit technology by creating a CD or DVD containing malicious files in the above folders. These files can not be viewed on the computer but they can be executed.

  4. Hooks and filters the following critical system APIs, which are used for communication with DVD and CD drives:

    • DeviceIoControl
    • SendASPI32Command

      Note: This may cause a degradation in performance.

  5. Prevents certain legitimate programs that use the file ElbyCDIO.DLL from accessing the DVD drive. The following are some examples of programs that are prevented from accessing the DVD drive:
    • CloneDVD
    • AnyDVD

      The following message may be displayed if the AnyDVD program attempts to access the DVD drive:

      Title: AnyDVD Ripper
      Body: AnyDVD is not currently active for drive E:!



  6. Prevents certain legitimate programs from accessing and reading information from the DVD drive. The following are some examples of programs that are prevented from accessing the DVD drive:

    • DVDFab Express
    • DVD Decrypter

      The following message may be displayed if the DVD Decrypter program attempts to access the DVD drive:

      Title: DVDFabDecrypter
      Body: Get DVD information fail. 4100



  7. Warning messages will be displayed by the Symantec antivirus program every time the DVD protected by Settec Alpha-DVD is accessed. To view the DVD without the warning messages it is necessary to either run a scan using the Symantec antivirus program or to download an updated version of the software.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver