SecurityRisk.Settec

Printer Friendly Page

Updated: February 13, 2007 11:48:39 AM
Type: Other
Infection Length: 827,392 bytes
Risk Impact: Low
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Behavior


SecurityRisk.Settec is a rootkit that can hide processes, prevent access to files, and may cause problems for legitimate programs that have access to DVD or CD drives.

Note: This rootkit was designed to hide a legitimate application, but it can be used to hide other objects, including malicious software.


Symptoms


Your Symantec program detects SecurityRisk.Settec.

Transmission


This security risk is part of Settec Alpha-DVD software, which is present on some KinoWelt content-protected DVDs. When a DVD containing this software is started from a DVD drive, the security risk is installed on the computer. It has been reported that the German release of "Mr & Mrs Smith" will include Settec's Alpha-DVD copy protection.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version October 02, 2014 revision 022
  • Initial Daily Certified version March 02, 2006
  • Latest Daily Certified version February 28, 2012 revision 006
  • Initial Weekly Certified release date March 08, 2006

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Updated: February 13, 2007 11:48:39 AM
Type: Other
Infection Length: 827,392 bytes
Risk Impact: Low
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


When a DVD containing SecurityRisk.Settec is run, the clean autorun installer performs the following actions:

  1. Creates the following files:

    • %Temp%\tmpagt.exe
    • %Temp%\HADL.DLL
    • %Temp%\cmtl.dat

  2. Displays the following message, which is an End User License Agreement:



  3. Creates and executes the following files, if the user agrees to install the protection action:

    • %System%\[RANDOM FILE NAME].exe
    • %System%\HADL.DLL
    • %System%\cmtl.dat

      Note:
    • A copy of %System%\[RANDOM FILE NAME].exe is also present on the DVD protected by Settec Alpha-DVD as alpha.dat. This file will be detected by the Symantec antivirus program every time a DVD protected by Settec Alpha-DVD is inserted into the DVD drive. The file cannot be deleted by the Symantec antivirus program as the DVD drive is a read-only media.
    • Warning messages may be displayed by the Symantec antivirus program every time one of the above files is accessed. Users will be able to view the DVD as normal using any DVD player application.

Once SecurityRisk.Settec is installed on the computer, it performs the following actions:

  1. Adds the value:

    "SystemManager" = "%SYSTEM%\[RANDOM FILE NAME].EXE"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \policies\Explorer\Run

    so that the risk starts every time Windows starts.

  2. Uses user-mode rootkit techniques to hide its executable file from the processes list.

    Note: This can be exploited by malware to hide any malicious processes.

  3. Uses user-mode rootkit techniques to prevent access to files in the following folders on the DVD drive:

    • VIDEO_TS
    • AUDIO_TS

      Note:
    • This rootkit technology can also be used by malware to block access malicious files placed in the above folders, both on the DVD drive and on the hard drive of the computer.
    • A malicious attacker could also exploit this rootkit technology by creating a CD or DVD containing malicious files in the above folders. These files can not be viewed on the computer but they can be executed.

  4. Hooks and filters the following critical system APIs, which are used for communication with DVD and CD drives:

    • DeviceIoControl
    • SendASPI32Command

      Note: This may cause a degradation in performance.

  5. Prevents certain legitimate programs that use the file ElbyCDIO.DLL from accessing the DVD drive. The following are some examples of programs that are prevented from accessing the DVD drive:
    • CloneDVD
    • AnyDVD

      The following message may be displayed if the AnyDVD program attempts to access the DVD drive:

      Title: AnyDVD Ripper
      Body: AnyDVD is not currently active for drive E:!



  6. Prevents certain legitimate programs from accessing and reading information from the DVD drive. The following are some examples of programs that are prevented from accessing the DVD drive:

    • DVDFab Express
    • DVD Decrypter

      The following message may be displayed if the DVD Decrypter program attempts to access the DVD drive:

      Title: DVDFabDecrypter
      Body: Get DVD information fail. 4100



  7. Warning messages will be displayed by the Symantec antivirus program every time the DVD protected by Settec Alpha-DVD is accessed. To view the DVD without the warning messages it is necessary to either run a scan using the Symantec antivirus program or to download an updated version of the software.


Updated: February 13, 2007 11:48:39 AM
Type: Other
Infection Length: 827,392 bytes
Risk Impact: Low
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


Updating the Software
This risk can be removed by installing a new version of the software, which does not use rootkit techniques and fixes the security issues caused of the previous version. This is available from the following Web site:

http://uninstall.settec.com/eng

Note: The risk can also be removed by running an uninstaller, which is also available from the above Web site.


Manual Removal
The following instructions pertain to all Symantec antivirus products that support security risk detection.

  1. Update the definitions.
  2. Run a full system scan.
  3. Delete any values added to the registry.
For specific details on each of these steps, read the following instructions.

1. To update the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.


2. To run the scan
  1. Start your Symantec antivirus program, and then run a full system scan.
  2. If any files are detected, and depending on which software version you are using, you may see one or more of the following options:

    Note: This applies only to versions of Norton AntiVirus that support security risk detection. If you are running a version of Symantec AntiVirus Corporate Edition that supports security risk detection, and security risk detection has been enabled, you will only see a message box that gives the results of the scan. If you have questions in this situation, contact your network administrator.
    • Exclude (Not recommended): If you click this button, it will set the risk so that it is no longer detectable. That is, the antivirus program will keep the security risk on your computer and will no longer detect it to remove from your computer.

    • Ignore or Skip: This option tells the scanner to ignore the risk for this scan only. It will be detected again the next time that you run a scan.

    • Cancel: This option is new to Norton Antivirus 2005. It is used when Norton Antivirus 2005 has determined that it cannot delete a security risk. This Cancel option tells the scanner to ignore the risk for this scan only, and thus, the risk will be detected again the next time that you run a scan.

      To actually delete the security risk:
      • Click its file name (under the Filename column).
      • In the Item Information box that displays, write down the full path and file name.
      • Then use Windows Explorer to locate and delete the file.

    • Delete: This option will attempt to delete the detected files. In some cases, the scanner will not be able to do this.
      • If you see a message, "Delete Failed" (or similar message), manually delete the file.
      • Click the file name of the risk that is under the Filename column.
      • In the Item Information box that displays, write down the full path and file name.
      • Then use Windows Explorer to locate and delete the file.

Important: If you are unable to start your Symantec antivirus product or the product reports that it cannot delete a detected file, you may need to stop the risk from running in order to remove it. To do this, run the scan in Safe mode. For instructions, read the document, How to start the computer in Safe Mode . Once you have restarted in Safe mode, run the scan again.

After the files are deleted, restart the computer in Normal mode and proceed with the next section.

Warning messages may be displayed when the computer is restarted, since the risk may not be fully removed at this point. You can ignore these messages and click OK. These messages will not appear when the computer is restarted after the removal instructions have been fully completed. The messages displayed may be similar to the following:

Title: [FILE PATH]
Message body: Windows cannot find [FILE NAME]. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

3. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. Read the document: How to make a backup of the Windows registry .
  1. Click Start > Run.
  2. Type regedit

    Then click OK.

    Note: If the registry editor fails to open the risk may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.

  3. Navigate to the subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \policies\Explorer\Run

  4. In the right pane, delete the value:

    "SystemManager" = "%SYSTEM%\[RANDOM FILE NAME].EXE"

  5. Exit the Registry Editor.