1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP PCHealthPlan Activity

HTTP PCHealthPlan Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects attempt by SecurityRisk.PCHealthPlan communicating and requesting information from its controlling server.

Additional Information

When PCHealthPlan is installed, it performs the following actions:

1. Creates the following files:

* %UserProfile%\Desktop\PC Health Plan.lnk
* %UserProfile%\Local Settings\Temp\Trak.html
* %UserProfile%\Start Menu\PC Health Plan.lnk
* %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\PC Health Plan\PC Health Plan.lnk
* %SystemDrive%\logerrorPCHP.txt
* %ProgramFiles%\PC Health Plan\DebugLogs\*.log
* %ProgramFiles%\PC Health Plan\Def.DAT
* %ProgramFiles%\PC Health Plan\pages.ini
* %ProgramFiles%\PC Health Plan\PC Health Plan.exe
* %ProgramFiles%\PC Health Plan\SKIN\*.jpg
* %ProgramFiles%\PC Health Plan\SKIN\scan.swf
* %ProgramFiles%\PC Health Plan\SKIN\skin.ini
* %ProgramFiles%\PC Health Plan\SKIN\vssver.scc
* %ProgramFiles%\PC Health Plan\unins000.dat
* %ProgramFiles%\PC Health Plan\unins000.exe
* %Windir%\PCHP.exe.lnk


Notes:
* %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
* %SystemDrive% is a variable that refers to the drive on which Windows is installed. By default, this is drive C.
* %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
* %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

2. Creates the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Health Plan_is1
HKEY_LOCAL_MACHINE\SOFTWARE\PC Health Plan
HKEY_CURRENT_USER\Software\Microsoft\PingPixel

3. Incorrectly detects clean files as infected, and gives exaggerated reports of errors in the registry.

4. Uses these false results in an attempt to persuade users to register the product for a fee.

Affected

  • Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Response

The following instructions pertain to all Symantec antivirus products that support security risk detection.

1. Update the definitions.
2. Run a full system scan.
3. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube