1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP PrivacyGuarantor Activity

HTTP PrivacyGuarantor Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects activities of misleading application PrivacyGuarantor.

Additional Information

PrivacyGuarantor is a misleading application that provides false warnings about privacy violations.

The risk creates the following files:

* %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Privacy Guarantor v2.0.lnk
* %UserProfile%\Desktop\Privacy Guarantor v2.0.lnk %USERPROGRAMS%\Privacy Guarantor
* %UserProfile%\Start Menu\Programs\Privacy Guarantor\Privacy Guarantor v2.0 Uninstaller.lnk
* %UserProfile%\Start Menu\Programs\Privacy Guarantor\Privacy Guarantor v2.0 Website.lnk
* %UserProfile%\Start Menu\Programs\Privacy Guarantor\Privacy Guarantor v2.0.lnk
* %UserProfile%\Start Menu\Privacy Guarantor v2.0.lnk
* %ProgramFiles%\Privacy Guarantor
* %ProgramFiles%\Privacy Guarantor\clean.log
* %ProgramFiles%\Privacy Guarantor\dlls\cleaner_dlls.dll
* %ProgramFiles%\Privacy Guarantor\dlls\Cleaner_Opera.dll
* %ProgramFiles%\Privacy Guarantor\dlls\miranda_dll.dll
* %ProgramFiles%\Privacy Guarantor\options.xml
* %ProgramFiles%\Privacy Guarantor\Privacy Guarantor.url
* %ProgramFiles%\Privacy Guarantor\privacyguarantor.chm
* %ProgramFiles%\Privacy Guarantor\PrivacyGuarantor.exe
* %ProgramFiles%\Privacy Guarantor\uninst.exe


It then creates the following registry entry, so that it starts when Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Privacy Guarantor" = "C:\Program Files\Privacy Guarantor\PrivacyGuarantor.exe /s"

The risk also creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\PrivacyGuarantor.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Privacy Guarantor
HKEY_LOCAL_MACHINE\SOFTWARE\Privacy Guarantor

Affected

  • Windows 98
  • Windows 95
  • Windows XP
  • Windows Me
  • Windows Vista
  • Windows NT
  • Windows Server 2003
  • Windows 2000

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube