1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP Malwarepro Activity

HTTP Malwarepro Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects activities of misleading application MalwarePro.

Additional Information

When the program is executed, it creates the following files:
%UserProfile%\Desktop\MalwarePro.lnk
%UserProfile%\Start Menu\Programs\MalwarePro\MalwarePro.lnk
%UserProfile%\Start Menu\Programs\MalwarePro\Uninstall MalwarePro.lnk
%ProgramFiles%\MalwarePro\MalwarePro.exe
%ProgramFiles%\MalwarePro\Uninstall\IRIMG1.JPG
%ProgramFiles%\MalwarePro\Uninstall\IRIMG2.JPG
%ProgramFiles%\MalwarePro\Uninstall\IRIMG3.JPG
%ProgramFiles%\MalwarePro\Uninstall\uninstall.dat
%ProgramFiles%\MalwarePro\Uninstall\uninstall.xml
%Windìr%\MalwarePro\uninstall.exe
%Windìr%\MalwarePro Setup Log.txt

It then creates the following registry subkeys:
HKEY_CURRENT_USER\Software\MPMFC1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MalwarePro5.2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\MalwarePro
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\MalwarePro

It also creates the following registry subkey so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MalwareProMFC

Affected

  • Windows 98
  • Windows 95
  • Windows XP
  • Windows Me
  • Windows Vista
  • Windows NT
  • Windows Server 2003
  • Windows 2000

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube