1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP Truesword Activity

HTTP Truesword Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects activities of misleading application TrueSword.

Additional Information

When TrueSword is executed it performs the following actions:

1. Creates the following files:

* %ProgramFiles%\Security Stronghold\True Software\TrueSword.exe
* %ProgramFiles%\Security Stronghold\True Software\unins000.exe
* %ProgramFiles%\Security Stronghold\Active ShieldActiveShield.exe
* %ProgramFiles%\Security Stronghold\Active ShieldKillProcess.exe
* %ProgramFiles%\Security Stronghold\Active Shieldunins000.exe
* %UserProfile%\Desktop\True Sword.lnk
* %UserProfile%\Desktop\Active Shield.lnk
* %Windir%\eSellerateControl350.dll (legitimate and non malicious component)
* %Windir%\eSellerateEngine.dll (legitimate and non malicious component)
* %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\True Sword\Help.lnk
* %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\True Sword\Order Now!.lnk
* %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\True Sword\Security Stronghold Online.lnk
* %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\True Sword\True Sword.lnk
* %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\True Sword\Uninstall True Sword.lnk
* %ProgramFiles%\Security Stronghold\True Software\Backups.dat
* %ProgramFiles%\Security Stronghold\True Software\db.dat
* %ProgramFiles%\Security Stronghold\True Software\file_id.diz
* %ProgramFiles%\Security Stronghold\True Software\license.txt
* %ProgramFiles%\Security Stronghold\True Software\options.ini
* %ProgramFiles%\Security Stronghold\True Software\readme.txt
* %ProgramFiles%\Security Stronghold\True Software\solved.dat
* %ProgramFiles%\Security Stronghold\True Software\ts_pad.xml%
* %ProgramFiles%\Security Stronghold\True Software\unins000.dat
* %ProgramFiles%\Security Stronghold\True Software\Help\Help.chm
* %ProgramFiles%\Security Stronghold\True Software\Res\[IMAGE FILES USED BY THE INTERFACE]
* %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Active Shield\Active Shield.lnk
* %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Active Shield\Help.lnk
* %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Active Shield\Order Now!.lnk
* %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Active Shield\Security Stronghold Online.lnk
* %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Active Shield\Uninstall Active Shield.lnk
* %ProgramFiles%\Security Stronghold\Active Shieldas_pad.xml
* %ProgramFiles%\Security Stronghold\Active ShieldBackups.dat
* %ProgramFiles%\Security Stronghold\Active ShieldBlackList.dat
* %ProgramFiles%\Security Stronghold\Active Shielddb.dat
* %ProgramFiles%\Security Stronghold\Active Shieldfile_id.diz
* %ProgramFiles%\Security Stronghold\Active Shieldlicense.txt
* %ProgramFiles%\Security Stronghold\Active Shieldreadme.txt
* %ProgramFiles%\Security Stronghold\Active ShieldSolved.dat
* %ProgramFiles%\Security Stronghold\Active Shieldunins000.dat
* %ProgramFiles%\Security Stronghold\Active ShieldWhiteList.dat
* %ProgramFiles%\Security Stronghold\Active Shield\Help\Help.Chm
* %ProgramFiles%\Security Stronghold\Active Shield\Res\[IMAGE FILES USED BY THE INTERFACE]

Notes:
* %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
* %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
* %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
* %SystemDrive% is a variable that refers to the drive on which Windows is installed. By default, this is drive C.

2. Creates the following folders:

* %ProgramFiles%\Security Stronghold\True Software\Infected
* %ProgramFiles%\Security Stronghold\Active Shield\Infected

3. Creates the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\True Sword_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Security Stronghold
HKEY_LOCAL_MACHINE\SOFTWARE\Security Stronghold\True Sword
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Active Shield_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Security Stronghold\Active Shield

4. Adds the following registry subkeys, which are related to the legitimate eSellerate component:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25982EAA-87CC-4747-BE09-9913CF7DD2F1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A3E27DCE-DD77-49F4-B566-03FA894C8308}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1E958A86-A23B-4659-A6AE-BD85FCD1D544}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\eSellerateControl.350
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\eSellerateControl.350.1

5. Adds the following value:

"Active Shield" = "%ProgramFiles%\Security Stronghold\Active ShieldActiveShield.exe"

to the following subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the risk is executed every time Windows starts.

6. Exaggerates reports of threats on the compromised computer. The program then prompts the user to purchase a registered version of the software in order to remove the reported threats.

  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube