||||
Symantec.com > Security Response > Threats and Risks > XPSecurityCenter
PRINT THIS PAGE

XPSecurityCenter

Printer Friendly Page

Updated: May 19, 2008 10:27:26 AM
Type: Misleading Application
Name: XP Security Center Module
Version: 1.0.0.1
Publisher: XPSecurityCenter.com
Risk Impact: Medium
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

Behavior
The program must be manually installed. It can be installed from the following location:
XPSecurityCenter.com

The program reports false or exaggerated system security threats on the computer.





The user is then prompted to pay for a full license of the application in order to remove the errors.





Installation
When the program is executed, it creates the following files:
  • %UserProfile%\Local Settings\Temp\Binaries1.zip
  • %UserProfile%\Local Settings\Temp\Binaries2.zip
  • %UserProfile%\Local Settings\Temp\Binaries3.zip
  • C:\Documents and Settings\All Users\Desktop\XPSecurityCenter.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\XPSecurityCenter\Uninstall.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\XPSecurityCenter\XPSecurityCenter.lnk
  • %ProgramFiles%\XPSecurityCenter\data\daily.cvd
  • %ProgramFiles%\XPSecurityCenter\htmlayout.dll
  • %ProgramFiles%\XPSecurityCenter\install.exe
  • %ProgramFiles%\XPSecurityCenter\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
  • %ProgramFiles%\XPSecurityCenter\Microsoft.VC80.CRT\msvcm80.dll
  • %ProgramFiles%\XPSecurityCenter\Microsoft.VC80.CRT\msvcp80.dll
  • %ProgramFiles%\XPSecurityCenter\Microsoft.VC80.CRT\msvcr80.dll
  • %ProgramFiles%\XPSecurityCenter\pthreadVC2.dll
  • %ProgramFiles%\XPSecurityCenter\un.ico
  • %ProgramFiles%\XPSecurityCenter\unzip32.dll
  • %ProgramFiles%\XPSecurityCenter\XPSecurityCenter.dll
  • %ProgramFiles%\XPSecurityCenter\XPSecurityCenter.exe
  • %ProgramFiles%\XPSecurityCenter\XP_SecurityCenter.cfg

It may then create the following files:
  • %UserProfile%\Application Data\[RANDOM FILE NAME]
  • %UserProfile%\Local Settings\Application Data\[RANDOM FILE NAME]
  • %System%\[RANDOM FILE NAME]
  • %Windir%\[RANDOM FILE NAME]
  • C:\Documents and Settings\All Users\Application Data\[RANDOM FILE NAME]
  • C:\Documents and Settings\All Users\Documents\[RANDOM FILE NAME]

Where [RANDOM FILE NAME] is created by the program using random letters and one of the following extensions:
  • ._dl
  • .bat
  • .bin
  • .dat
  • .db
  • .exe
  • .inf
  • .pif
  • .reg
  • .sys
  • .vbs
Note: Mutiple files may be created.

Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"XP SecurityCenter" = ""C:\Program Files\XPSecurityCenter\XPSecurityCenter.exe" /hide"

It also creates the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\XP_SecurityCenter

Similar Security Risks
WinReanimator

Search by name
Example: W32.Beagle.AG@mm
Learn more about Zero-Day / Operation Aurora / Hydraq
Symantec DeepSight Screensaver
©1995 - 2010 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS