1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP AVSystemCare Activity

HTTP AVSystemCare Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects Security Risk.AVSystemCare communicating and requesting information from its controlling server.

Additional Information

The misleading application can be manually downloaded and installed, or it may be installed by a downloader, without the user's consent.

If manually executed, it presents an installation wizard, with one dialog box including a EULA.

The application reports false detections for a number of Trojan horses.



The application reports the presence of the following fake threats:

* Trojan.Backdoor.IROffer
* Trojan.Spy.DKangel


The user is then prompted to pay for a full license of the application in order to remove the fake threats.


Installation
When the security risk is executed, it creates the following files:

* %UserProfile%\Application Data\AVSystemCare\avtasks.dat
* %UserProfile%\Application Data\AVSystemCare\Logs\av.log
* %UserProfile%\Application Data\AVSystemCare\Logs\ga6Support.log
* %UserProfile%\Application Data\AVSystemCare\Logs\update.log
* %UserProfile%\Application Data\AVSystemCare\PGE.dat
* C:\Documents and Settings\All Users\Start Menu\AVSystemCare\AVSystemCare.lnk
* C:\Documents and Settings\All Users\Start Menu\AVSystemCare\Contact Customer Support.lnk
* C:\Documents and Settings\All Users\Start Menu\AVSystemCare\Uninstall AVSystemCare.lnk
* %ProgramFiles%\Common Files\AVSystemCare\uga6pcw.exe
* %ProgramFiles%\Common Files\AVSystemCare\UGaChk.dll
* %ProgramFiles%\AVSystemCare\Activate.exe
* %ProgramFiles%\AVSystemCare\Addons\popupg.dll
* %ProgramFiles%\AVSystemCare\atf.exe
* %ProgramFiles%\AVSystemCare\Base\AWBase\database\enemies.dat
* %ProgramFiles%\AVSystemCare\Base\AWBase\vbpv.dat
* %ProgramFiles%\AVSystemCare\Base\PGBase\vbpv.dat
* %ProgramFiles%\AVSystemCare\Base\plugins\BORLNDMM.DLL
* %ProgramFiles%\AVSystemCare\Base\plugins\SCANADWR.DLL
* %ProgramFiles%\AVSystemCare\Base\plugins\SCANBCDR.DLL
* %ProgramFiles%\AVSystemCare\Base\plugins\SCANDLDR.DLL
* %ProgramFiles%\AVSystemCare\Base\plugins\SCANDOS1.DLL
* %ProgramFiles%\AVSystemCare\Base\plugins\SCANEMUL.DLL
* %ProgramFiles%\AVSystemCare\Base\plugins\SCANFUNC.DLL
* %ProgramFiles%\AVSystemCare\Base\plugins\SCANKRNL.DLL
* %ProgramFiles%\AVSystemCare\Base\plugins\SCANMCR1.DLL
* %ProgramFiles%\AVSystemCare\Base\plugins\SCANOTHR.DLL
* %ProgramFiles%\AVSystemCare\Base\plugins\SCANSCR.DLL
* %ProgramFiles%\AVSystemCare\Base\plugins\SCANTOOL.DLL
* %ProgramFiles%\AVSystemCare\Base\plugins\SCANTROJ.DLL
* %ProgramFiles%\AVSystemCare\Base\plugins\SCANWIN1.DLL
* %ProgramFiles%\AVSystemCare\Base\plugins\UNACPU.DLL
* %ProgramFiles%\AVSystemCare\Base\plugins\UNADBX.DLL
* %ProgramFiles%\AVSystemCare\Base\plugins\unamscan.dll
* %ProgramFiles%\AVSystemCare\Base\plugins\UNMIME.DLL
* %ProgramFiles%\AVSystemCare\Base\plugins\UNPACK.DLL
* %ProgramFiles%\AVSystemCare\Base\plugins\UNPACKS.DLL
* %ProgramFiles%\AVSystemCare\Base\plugins\UNPACKS2.DLL
* %ProgramFiles%\AVSystemCare\Base\plugins\UNPEPACK.DLL
* %ProgramFiles%\AVSystemCare\Base\plugins\UpDate\UA27601.DLL
* %ProgramFiles%\AVSystemCare\Base\plugins\UpDate\UA27602.DLL
* %ProgramFiles%\AVSystemCare\Base\plugins\UpDate\UA27603.DLL
* %ProgramFiles%\AVSystemCare\Base\plugins\UpDate\UA27604.DLL
* %ProgramFiles%\AVSystemCare\Base\plugins\UpDate\UADAILY.DLL
* %ProgramFiles%\AVSystemCare\Base\plugins\vbpv.dat
* %ProgramFiles%\AVSystemCare\Config\pgs.xml
* %ProgramFiles%\AVSystemCare\Dat\Activate.dat
* %ProgramFiles%\AVSystemCare\Dat\BkS

Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows XP

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.

Additional References

  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube