1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP VirusProtectPro Activity

HTTP VirusProtectPro Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects activities of misleading application VirusProtect Pro.

Additional Information

It has been reported that the program gets downloaded by Trojan.Zlob.

Once run, the security risk creates the following folders:

* %ProgramFiles%\VirusProtectPro 3.3
* %ProgramFiles%\VirusProtectPro 3.3\Lang
* %ProgramFiles%\VirusProtectPro 3.3\Logs
* %ProgramFiles%\VirusProtectPro 3.3\Quarantine


It then creates the following files:

* %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\VirusProtectPro 3.3.lnk
* %UserProfile%\Desktop\VirusProtectPro 3.3.lnk
* %ProgramFiles%\VirusProtectPro 3.3\Uninstall VirusProtectPro 3.3.lnk
* %ProgramFiles%\Programs\VirusProtectPro 3.3\VirusProtectPro 3.3 Website.lnk
* %ProgramFiles%\VirusProtectPro 3.3\VirusProtectPro 3.3.lnk
* %ProgramFiles%\VirusProtectPro 3.3.lnk
* %ProgramFiles%\VirusProtectPro 3.3\blacklist.txt
* %ProgramFiles%\VirusProtectPro 3.3\Lang\English.ini
* %ProgramFiles%\VirusProtectPro 3.3\msvcp71.dll
* %ProgramFiles%\VirusProtectPro 3.3\msvcr71.dll
* %ProgramFiles%\VirusProtectPro 3.3\uninst.exe
* %ProgramFiles%\VirusProtectPro 3.3\VirusProtectPro 3.3.exe
* %ProgramFiles%\VirusProtectPro 3.3\VirusProtectPro 3.3.url
* %ProgramFiles%\VirusProtectPro 3.3\vpp.dat


The security risk then creates the following registry entry so that it runs when Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"VirusProtectPro 3.3" = ""%ProgramFiles%\VirusProtectPro 3.3\VirusProtectPro 3.3.exe" /h"

It also creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{45C2FDBE-1D46-B98E-F9A9-9D44B93A9D52}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D52BB09-465C-4AA4-9FBD-71D1690CAED3}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{24998748-6E8A-40D1-AA97-E9952EE9ED18}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{287FFE0C-15D0-4BFD-BAA9-0582C6361BBB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{45973D31-5CE3-4503-BC81-25E525119C48}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{46D4D563-1C43-4CEE-AF98-471385F2BC42}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5596A310-2E54-4B75-ADA3-7EE0AD10E228}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C17F7D3-8460-4488-84EB-986A38BEDD2D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{71DF187C-DC99-4A35-BDB2-C099821A435D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{74DF3F5E-99D7-4F4D-81C3-95201D4CDA88}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{91478017-FF82-4C5D-9FFF-7801F8D99CCC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9F9C8CF3-EB4A-4851-A4F6-2370F5BC79EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B1B9C911-CA24-4E1E-9F56-838486218327}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C78E49C0-AB82-4C79-A189-F1E34980643B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D2A0598F-FBC4-4721-BC85-F75C0712C100}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E7B2831E-A25A-430B-B3E3-3D414F9C4288}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EDC652FF-2EA2-4E46-8849-D9041B77B88E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{049FECE3-18C7-4023-A1BE-CFAA2C4EE387}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\VirusProtectPro 3.3.exe 3.3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusProtectPro 3.3
HKEY_LOCAL_MACHINE\SOFTWARE\VirusProtectPro 3.3

It may give exaggerated reports of threats on the computer. The program then prompts the user to purchase a registered version of the software in order to remove the reported threats.

Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows XP

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Uninstall the security risk.
3. Update the virus definitions.
4. Run a full system scan.
5. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube