1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP VirusRescue Activity

HTTP VirusRescue Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects VirusRescue which is a security risk that may give exaggerated reports of threats on the computer.

Additional Information

Once executed, the Trojan performs the following actions:

1. Creates the following files:

* %ProgramFiles%\VirusRescue\Languages\english.ini
* %ProgramFiles%\VirusRescue\Logs
* %ProgramFiles%\VirusRescue\Logs\.
* %ProgramFiles%\VirusRescue\Logs\..
* %ProgramFiles%\VirusRescue\OE.api
* %ProgramFiles%\VirusRescue\OE4.api
* %ProgramFiles%\VirusRescue\TheBAT.api
* %ProgramFiles%\VirusRescue\UnACE.api
* %ProgramFiles%\VirusRescue\UnARJ.api
* %ProgramFiles%\VirusRescue\UnMSCAB.api
* %ProgramFiles%\VirusRescue\VirusRescue.exe
* %ProgramFiles%\VirusRescue\VirusRescue.tlb
* %ProgramFiles%\VirusRescue\VirusRescue.url
* %ProgramFiles%\VirusRescue\asc4.dll
* %ProgramFiles%\VirusRescue\backdoor.avb
* %ProgramFiles%\VirusRescue\base.dat
* %ProgramFiles%\VirusRescue\ca.avb
* %ProgramFiles%\VirusRescue\config.ini
* %ProgramFiles%\VirusRescue\daily.avb
* %ProgramFiles%\VirusRescue\kernel4.avb
* %ProgramFiles%\VirusRescue\kernel40.dll
* %ProgramFiles%\VirusRescue\malware.avb
* %ProgramFiles%\VirusRescue\pl.dll
* %ProgramFiles%\VirusRescue\sdebug.log
* %ProgramFiles%\VirusRescue\stop.set
* %ProgramFiles%\VirusRescue\stopapi4.dll
* %ProgramFiles%\VirusRescue\tips.txt
* %ProgramFiles%\VirusRescue\uninst.exe
* %ProgramFiles%\VirusRescue\unrar.api
* %ProgramFiles%\VirusRescue\unzip.api
* %ProgramFiles%\VirusRescue\virusdos.avb
* %ProgramFiles%\VirusRescue\virusw32.avb
* %ProgramFiles%\VirusRescue\vrExt.dll
* %ProgramFiles%\VirusRescue\vrsvc.exe
* %ProgramFiles%\VirusRescue\weekly.avb
* %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\VirusRescue v3.0.1.lnk
* %UserProfile%\Desktop\VirusRescue v3.0.1.lnk
* %UserProfile%\Local Settings\Temp\VRLanguage.ini
* %UserProfile%\Start Menu\Programs\VirusRescue\VirusRescue v3.0.1 Un-Installer.lnk
* %UserProfile%\Start Menu\Programs\VirusRescue\VirusRescue v3.0.1 Website.lnk
* %UserProfile%\Start Menu\Programs\VirusRescue\VirusRescue v3.0.1.lnk
* %UserProfile%\Start Menu\VirusRescue v3.0.1.lnk

Note:
* %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
* %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

2. Creates the following registry subkeys:

HKEY_CLASSES_ROOT\VRExt.VRShlExt
HKEY_CLASSES_ROOT\VRExt.VRShlExt.1
HKEY_CLASSES_ROOT\AppID\VRExt.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\VRShlExt
HKEY_CLASSES_ROOT\AppID\{53A8703F-53BF-4C44-8DAF-FA254A1E1B8C}
HKEY_CLASSES_ROOT\AppID\{CF79DAB6-0AFE-4678-856D-44574D91915C}
HKEY_CLASSES_ROOT\CLSID\{598CA4D5-6870-47F0-B513-E3EFBA809B22}
HKEY_CLASSES_ROOT\CLSID\{753D7DED-2454-44A3-959D-DC3700FC6B6E}
HKEY_CLASSES_ROOT\CLSID\{CF79DAB6-0AFE-4678-856D-44574D91915C}
HKEY_CLASSES_ROOT\CLSID\{F80DB5A5-A885-7370-4983-841F62A80AF2}
HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\VRShlExt
HKEY_CLASSES_ROOT\Interface\{598CA4D5-6870-47F0-B513-E3EFBA809B22}
HKEY_CLASSES_ROOT\Interface\{679B00B5-0783-4DE4-A478-7227FDD50825}
HKEY_CLASSES_ROOT\TypeLib\{2E88F662-2027-421D-9874-F3DBC2207BAB}
HKEY_CLASSES_ROOT\TypeLib\{C7DF0578-D732-4BFB-A65B-89C1CCEA01CC}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\App Paths\virusrescue.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Uninstall\VirusRescue
HKEY_LOCAL_MACHINE\SOFTWARE\VirusRescue

3. Adds the registry value:

"VirusRescue" = "%ProgramFiles%\VirusRescue\VirusRescue.exe /s"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it runs every time Windows starts.

4. Displays message boxes giving exaggerated reports of threats on the computer and urging the user to purchase a registered version of the software.

Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows XP

Response

The following instructions pertain to all Symantec antivirus products that support security risk detection.

1. Update the definitions.
2. Run a full system scan.
3. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube