1. /
  2. Security Response/
  3. SystemDoctor

SystemDoctor

Updated:
May 24, 2007 1:24:03 PM
Type:
Misleading Application
Publisher:
malwarewipe.com
Risk Impact:
Medium
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When SystemDoctor is installed on the computer, it creates the following files:
  • C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\SystemDoctor 2006.lnk
  • C:\Documents and Settings\Administrator\Desktop\SystemDoctor 2006.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\SystemDoctor 2006 Unregistered Version\Contact customer support.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\SystemDoctor 2006 Unregistered Version\SystemDoctor 2006 on the Web.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\SystemDoctor 2006 Unregistered Version\SystemDoctor 2006.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\SystemDoctor 2006 Unregistered Version\Uninstall SystemDoctor 2006.lnk
  • C:\Program Files\SystemDoctor 2006 Free\Activate.dat
  • C:\Program Files\SystemDoctor 2006 Free\Activate.exe
  • C:\Program Files\SystemDoctor 2006 Free\bnlink.dat
  • C:\Program Files\SystemDoctor 2006 Free\DataBase.sav
  • C:\Program Files\SystemDoctor 2006 Free\hmlink.dat
  • C:\Program Files\SystemDoctor 2006 Free\insthelp.exe
  • C:\Program Files\SystemDoctor 2006 Free\lapv.dat
  • C:\Program Files\SystemDoctor 2006 Free\License.rtf
  • C:\Program Files\SystemDoctor 2006 Free\lock.dat
  • C:\Program Files\SystemDoctor 2006 Free\order.dll
  • C:\Program Files\SystemDoctor 2006 Free\pv.dat
  • C:\Program Files\SystemDoctor 2006 Free\ReportListFile.dat
  • C:\Program Files\SystemDoctor 2006 Free\Sd2006.exe
  • C:\Program Files\SystemDoctor 2006 Free\sd2006url.url
  • C:\Program Files\SystemDoctor 2006 Free\support.url
  • C:\Program Files\SystemDoctor 2006 Free\umain.xml
  • C:\Program Files\SystemDoctor 2006 Free\unins000.dat
  • C:\Program Files\SystemDoctor 2006 Free\unins000.exe
  • C:\Program Files\SystemDoctor 2006 Free\up.dat
  • C:\Program Files\SystemDoctor 2006 Free\updater.dat
  • C:\Program Files\SystemDoctor 2006 Free\updater.exe
  • C:\Documents and Settings\Administrator\Local Settings\Temp\USDR6_0001_D08M0404
  • C:\Documents and Settings\Administrator\Local Settings\Temp\SystemDoctorFreeSetup.exe


Next, the program creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\[RANDOM CLSID]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemDoctor.Free
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USDR6_is1
HKEY_LOCAL_MACHINE\SOFTWARE\SystemDoctor 2006 Free
HKEY_CURRENT_USER\Software\SystemDoctor 2006 Free

It also creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ "SystemDoctor 2006 Free" = "C:\Program Files\SystemDoctor 2006 Free\sd2006.exe -scan"

Next, the program may give exaggerated reports of threats on the computer including the following:
  • w32.myzor.fk@if
  • trojanspm/lx
  • trojan.dloader/lx
  • spyworm.win32
  • win32.trojan.rx


The program then prompts the user to purchase a registered version of the software in order to remove the reported threats.
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver