1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP ErrorSafe Activity

HTTP ErrorSafe Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects the activities of Misleading Application - ErrorSafe.

Additional Information

When ErrorSafe is executed, it performs the following actions:

1. Creates some of the following files and folders:

* %UserProfile%\Desktop\ErrorSafe.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\ErrorSafe\Contact customer support.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\ErrorSafe\Uninstall ErrorSafe.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\ErrorSafe\ErrorSafe.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\ErrorSafe\ErrorSafe on the Web.lnk
* %ProgramFiles%\ErrorSafe\Backup
* %ProgramFiles%\ErrorSafe\Mp3DB
* %ProgramFiles%\ErrorSafe\MpegDB
* %ProgramFiles%\ErrorSafe\Repaired
* %ProgramFiles%\ErrorSafe\Tasks
* %ProgramFiles%\ErrorSafe\WaveDB
* %ProgramFiles%\ErrorSafe\ERS.EXE
* %ProgramFiles%\ErrorSafe\Install.exe
* %ProgramFiles%\ErrorSafe\sr.exe
* %ProgramFiles%\ErrorSafe\unins000.exe
* %ProgramFiles%\ErrorSafe\sr.exe
* %ProgramFiles%\ErrorSafe\sr.log
* %ProgramFiles%\ErrorSafe\df_fixer.dll
* %ProgramFiles%\ErrorSafe\df_proxy.dll
* %ProgramFiles%\ErrorSafe\ecc.dll
* %ProgramFiles%\ErrorSafe\esSPCheck.dll
* %ProgramFiles%\ErrorSafe\FFWraper.dll
* %ProgramFiles%\ErrorSafe\FixCore.dll
* %ProgramFiles%\ErrorSafe\FiFxr5.dll
* %ProgramFiles%\ErrorSafe\FTRec.dll
* %ProgramFiles%\ErrorSafe\MMFix.dll
* %ProgramFiles%\ErrorSafe\StrRes.dll
* %ProgramFiles%\ErrorSafe\flash.ini
* %ProgramFiles%\ErrorSafe\Activate.dat
* %ProgramFiles%\ErrorSafe\bnlink.dat
* %ProgramFiles%\ErrorSafe\lapv.dat
* %ProgramFiles%\ErrorSafe\lock.dat
* %ProgramFiles%\ErrorSafe\pv.dat
* %ProgramFiles%\ErrorSafe\unins000.dat
* %ProgramFiles%\ErrorSafe\Template.dbx
* %ProgramFiles%\ErrorSafe\ers.url
* %ProgramFiles%\ErrorSafe\support.rul
* %ProgramFiles%\ErrorSafe\License.rtf
* %ProgramFiles%\ErrorSafe\DataBase.sav
* %ProgramFiles%\ErrorSafe\Program.sav
* %ProgramFiles%\ErrorSafe\ersd.sys
* %ProgramFiles%\ErrorSafe\erssdd.sys
* %ProgramFiles%\ErrorSafe\trace.log
* %System%\drivers\ersd.sys
* %System%\df_kme.exe

Notes:
* %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
* %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
* %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

2. Creates the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes
\CLSID\{05324ED1-05C0-4e3a-A34F-98BFC64426F5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{184B0A26-4C9C-4757-ABF5-4B6AF71F9A45}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes
\CLSID\{18A41B20-E519-47a1-B545-FFC200730E9B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes
\CLSID\{250D1063-5414-4fb0-86D5-AABB7A5D7DA7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes
\CLSID\{2B334C22-40CA-438f-913A-61A8105C4CCD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes
\CLSID\{43DB73EB-4C90-4418-B6AD-10DB22016908}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes
\CLSID\{4AA76F27-81BC-4C3F-9F24-CB99349C8CC9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes
\CLSID\{4F4E2384-42AD-4fe4-B966-B6D50C7BF90A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes
\CLSID\{5284AC2A-EF00-4750-9B82-B5B907D26536}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes
\CLSID\{59399E33-FB54-48AB-8AE4-AE108B36DAB4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes
\CLSID\{6AE7418B-229F-4A2C-AE1B-D5962888F02D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes
\CLSID\{7D435027-F646-4bf9-B2C5-0EF4940D5CA2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes
\CLSID\{8DAE9202-0019-4D30-A5D2-AAF02D4DDC37}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes
\CLSID\{C833A552-F5AF-4a7b-87B3-6EBDE0DB3B43}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes
\CLSID\{EDF78E1B-31A2-4c6e-AD40-0AFCD0D55263}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes
\CLSID\{F5AB293C-2E21-4441-9AD8-B3646EB26DF5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{0D146B7F-FA35-465D-B716-BCBC1F9A92D3}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{12813770-461E-4A9F-8C5B-C227A8E9FBE8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{1562D24E-F5BF-4BB4-AF4C-BBB610B62638}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{2A1647E8-3EC2-49FE-B632-E12D765FA0CC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{2DECFCC9-D910-4BAC-94B8-FC006827A60F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{4AA76F27-81BC-4C3F-9F24-CB99349C8CC9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{59399E33-FB54-48AB-8AE4-AE108B36DAB4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{6813BFFD-BE81-4613-B4E6-AA7ED0DA8659}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{7CA36000-3320-49D1-BAD1-4C5169D4084A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{7E7A1949-5C0C-45F3-A106-34FE038493EF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{8DAE9202-0019-4D30-A5D2-AAF02D4DDC37}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{A0E2E5AB-C02F-489B-BD7B-58C329F774F3}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{A92616B1-2E82-4052-B579-0A40C2304380}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{CF5C9FCE-C963-49E5-A3A4-0A81FFFE1E55}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{D090E12D-B79C-4B82-A76C-0E3BBE73C9EF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{D80A56D7-451C-41CF-9A74-1447E0887B97}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{E0110779-5F79-4685-9C96-9D99EFD30CA2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{E7CCBD19-2EEA-4B6A-B9BE-E8A68613809C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{EA0F107F-2BF6-44A0-96C4-A99B74AFBC4A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{F709F572-86F5-47C8-AFCF-3CEBC468FADB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{F97E5B38-4887-444A-86F5-91C18331500B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
\{16DEEE6B-AEFC-4BA6-9F32-57BBE6783A7C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
\{21C724D0-B91A-4F35-99E7-55D325F00B20}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
\{68BC55E9-4D3E-4C89-89AC-7559763C98B8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
\{692CA430-32C8-470D-BA1F-7E15E21E7043}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
\{8ECC09E1-634B-42AC-8BE7-E6EDBB53C90E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
\{B869788C-35DF-4104-BACB-8FDB83AFFFFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
\{BD9421BB-9F96-4272-802F-49BEC746056E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
\{F874A0AE-66E8-426B-A3F5-6BA6958DCDBA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ESCompCleanCore.ESAppCleaner
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ESCompCleanCore.ESAppCleaner.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ESCompCleanCore.ESCCQuickScan
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ESCompCleanCore.ESCCQuickScan.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ESCompCleanCore.ESFileCleaner
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ESCompCleanCore.ESFileCleaner.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ESCompCleanCore.ESInetCleaner
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ESCompCleanCore.ESInetCleaner.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ESCompCleanCore.ESRegCleaner
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ESCompCleanCore.ESRegCleaner.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ESCompCleanCore.ESSystemCleaner
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ESCompCleanCore.ESSystemCleaner.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ESdf_fixer.ESFixer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ESdf_fixer.ESFixer.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ESdf_proxy.ESDriverManipulate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ESdf_proxy.ESDriverManipulate.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ESFFWraper.ESFFEnginWraper
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ESFFWraper.ESFFEnginWraper.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ESFixCore.ESMMFixCore
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ESFixCore.ESMMFixCore.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ESMMFixCtrl.ESCoFixEngine
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ESMMFixCtrl.ESCoFixEngine.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ESSPCheck.ESSPCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ESSPCheck.ESSPCheck.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FlFxr5.FlFixer5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ERS_is1
HKEY_LOCAL_MACHINE\SOFTWARE\ErrorSafe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ersd.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ersd.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ERSD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ersd
HKEY_CURRENT_USER\Software\ErrorSafe

3. Adds the value:

"ErrorSafe" = "%ProgramFiles%\ErrorSafe\ers.exe /scan"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the risk runs every time Windows starts.

4. Adds the value:

"%ProgramFiles%\ErrorSafe\esPCheck.dll" = "1"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs

Affected

  • Windows 2000
  • Windows NT
  • Windows Server 2003
  • Windows XP

Response

The following instructions pertain to all Symantec antivirus products that support security risk detection.

1. Update the definitions.
2. Run a full system scan.
3. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube