1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP ScanAndRepair Activity

HTTP ScanAndRepair Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects the activities of Misleading App: ScanandRepair

Additional Information

ScanandRepair is a security risk that may give exaggerated reports of threats on the computer. The program then prompts the user to purchase a registered version of the software in order to remove the reported threats.

When ScanandRepair is installed, it performs the following actions:

1. Creates the following folder:

%ProgramFiles%\Scan&Repair Utilities 2006

Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.


2. Creates the following files:
* %ProgramFiles%\Scan&Repair Utilities 2006\Log.txt
* %ProgramFiles%\Scan&Repair Utilities 2006\RefData.sdb
* %ProgramFiles%\Scan&Repair Utilities 2006\Scan&Repair Utilities 2006.url
* %ProgramFiles%\Scan&Repair Utilities 2006\Scan&Repair2006.exe
* %ProgramFiles%\Scan&Repair Utilities 2006\Settings\ActiveHwnd.srf
* %ProgramFiles%\Scan&Repair Utilities 2006\Settings\AdvSettings.srf
* %ProgramFiles%\Scan&Repair Utilities 2006\Settings\Custom.srf
* %ProgramFiles%\Scan&Repair Utilities 2006\Settings\Folders.srf
* %ProgramFiles%\Scan&Repair Utilities 2006\Settings\Ignored.srf
* %ProgramFiles%\Scan&Repair Utilities 2006\Settings\ListItems.stg
* %ProgramFiles%\Scan&Repair Utilities 2006\Settings\System.srf
* %ProgramFiles%\Scan&Repair Utilities 2006\uninst.exe
* C:\Documents and Settings\Administrator\Start Menu\Programs\Scan&Repair Utilities 2006\Scan&Repair Utilities 2006.lnk
* C:\Documents and Settings\Administrator\Start Menu\Programs\Scan&Repair Utilities 2006\Uninstall Scan&Repair Utilities 200.lnk
* C:\Documents and Settings\Administrator\Start Menu\Programs\Scan&Repair Utilities 2006\Visit our Website.lnk
* C:\Documents and Settings\Administrator\Desktop\Scan&Repair Utilities 2006.lnk
* C:\WINDOWS\system32\dllcache\scrrun.dll
* C:\WINDOWS\system32\mscomct2.ocx
* C:\WINDOWS\system32\mscomctl.ocx
* C:\WINDOWS\system32\msinet.ocx
* C:\WINDOWS\system32\[Random].tmp
* C:\WINDOWS\LastGood\system32\scrrun.dll

3. Creates the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Scan&Repair2006.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Scan&Repair Utilities 2006

4. Adds the following entry:

"Scan&Repair2006.exe" = "C:\Program Files\Scan&Repair Utilities 2006\Scan&Repair2006.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it is executed every time Windows starts.

Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows XP

Response

The following instructions pertain to all Symantec antivirus products that support security risk detection.

1. Update the definitions.
2. Uninstall the security risk.
3. Run the scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube