1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP MyBugFreePc Activity

HTTP MyBugFreePc Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects activities of misleading application MyBugFreePc.

Additional Information

MyBugFreePc is a Security Risk that may give exaggerated reports of threats on the computer. The program then prompts the user to purchase a registered version of the software in order to remove the reported threats.


When the program is executed, it creates the following files:

* C:\Documents and Settings\Administrator\Desktop\MyBugFreePC v2.1.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\MyBugFreePC v2.1\MyBugFreePC v2.1.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\MyBugFreePC v2.1\Remove MyBugFreePC v2.1.lnk
* C:\Program Files\MyBugFreePC\MBFPCSupport.exe
* C:\Program Files\MyBugFreePC\MyBugFreePC.exe
* C:\Program Files\MyBugFreePC\uninstal.log
* C:\WINDOWS\system32\100.ico
* C:\WINDOWS\system32\101.ico
* C:\WINDOWS\system32\102.ico
* C:\WINDOWS\system32\103.ico
* C:\WINDOWS\system32\AbsoluteHttp.dll
* C:\WINDOWS\system32\ISHF_Ex.tlb
* C:\WINDOWS\system32\MBFPCUN.dll
* C:\WINDOWS\system32\OLEGUIDS.TLB
* C:\WINDOWS\system32\SSubTmr6.dll
* C:\WINDOWS\system32\vbalColumnTreeView6.ocx
* C:\WINDOWS\system32\xunzip30.ocx
* C:\WINDOWS\system32\xzipper30.ocx
* C:\WINDOWS\unvise32.exe



The program may then modify the following files:

* C:\WINDOWS\system32\MSCOMCTL.OCX
* C:\WINDOWS\system32\msvbvm60.dll



Next, the program creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBugFreePC v2.1\"DisplayName" = "MyBugFreePC v2.1"

It then creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBugFreePC v2.1
HKEY_ALL_USERS\Software\VB and VBA Program Settings\Aff_MyBugFreePC.v1
HKEY_ALL_USERS\Software\VB and VBA Program Settings\Aff_MyBugFreePC.v1\Affiliate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{14867AF7-C7EF-4F63-AF7E-9730300F6B43}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{39C0C1E8-55AE-4461-B6C7-E7DBBBAE33AA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72EF5DEE-B0A1-11D4-AAD4-F42B61161270}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{849A4AB0-92BF-11D4-AAD4-9EB3504E5079}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E8653F1-34CA-4473-AE37-138ED27760AD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8F09B786-5F0A-49BF-BBC2-DD86F0416843}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95F10A43-3F62-4EC0-A026-03D174E6DA74}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C16EFAFD-49DF-4C03-88CE-22EB565A26FD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D51F1EEB-CCBE-452F-9944-285D081BD883}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{26AA5C84-BD70-4671-BA12-74456481600F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{459B8715-40D2-4CCA-AB04-D36DE94752C8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{480663A1-3E6E-4CC0-B680-87757FFE0BB2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{53252C1F-1663-4E2B-90DB-945C1681053B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{55180CD6-E54A-4953-9DA9-D250872C33F1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5B3E24D7-F180-4D0F-A8F1-D5611FC62A86}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{71A27031-C7D8-11D2-BEF8-525400DFB47A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{71A27033-C7D8-11D2-BEF8-525400DFB47A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{71A27036-C7D8-11D2-BEF8-525400DFB47A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{72EF5DEA-B0A1-11D4-AAD4-F42B61161270}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{72EF5DEC-B0A1-11D4-AAD4-F42B61161270}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{849A4AAC-92BF-11D4-AAD4-9EB3504E5079}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{849A4AAE-92BF-11D4-AAD4-9EB3504E5079}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{883594D1-0F8F-4D21-B2F1-7C7CBC1A86C4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{94A6E414-E35D-4DA2-AF46-6EE19F54F3D3}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FDBAB80E-4290-4574-8914-70423AF4926B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00995812-9105-11D0-A754-00A0C91110C3}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1C4D3904-8E59-437B-A010-B3CE69588807}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{72EF5DE9-B0A1-11D4-AAD4-F42B61161270}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{849A4AAB-92BF-11D4-AAD4-9EB3504E5079}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B96BCBE1-F886-11D0-9C63-A06801C10627}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{BD1D0EFE-F49E-4EC8-95AC-224BC4FD2211}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AbsoluteHttp.Conn
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AbsoluteHttp.Conn.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SSubTimer6.CTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SSubTimer6.GSubclass
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SSubTimer6.ISubclass
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xunzip30.unzip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xzipper30.xzipper
HKEY_LOCAL_MACHINE\SOFTWARE\SPeeQ

Affected

  • Windows XP
  • Windows NT
  • Windows 2000

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube