1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP EliteProtector Activity

HTTP EliteProtector Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects EliteProtector which may give exaggerated reports of threats on the computer.

Additional Information

When the program is executed, it creates the following files:

* %UserProfile%\Start Menu\Programs\Startup\.protected
* C:\Documents and Settings\All Users\Start Menu\Programs\Startup\.protected
* C:\Documents and Settings\All Users\Start Menu\Programs\EliteProtector\EliteProtector Uninstall.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\EliteProtector\EliteProtector.lnk
* %ProgramFiles%\EliteProtector\EliteProtector.db
* %ProgramFiles%\EliteProtector\EliteProtector.exe
* %ProgramFiles%\EliteProtector\EliteProtector.pkg
* %ProgramFiles%\EliteProtector\program.info
* %ProgramFiles%\EliteProtector\Uninstall.exe
* %System%\drivers\etc\.protected
* %Windìr%\.protected
* %System%\.protected
* %UserProfile%\Application Data\EliteProtector\logs\[RANDOM NAME].log



Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"EliteProtector" = "C:\Program Files\EliteProtector\EliteProtector.exe"

It also creates the following registry subkeys:

* HKEY_CURRENT_USER\Software\EliteProtector
* HKEY_LOCAL_MACHINE\SOFTWARE\EliteProtector
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EliteProtector

Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows Vista
  • Windows XP

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube