1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP ETDScanner Activity

HTTP ETDScanner Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects activities of misleading application ETDScanner.

Additional Information

When ETDScanner is installed, it performs the following actions:

1. Creates the following files:

* %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\ETD Security Scanner.lnk
* %UserProfile%\Desktop\ETD Security Scanner.lnk
* %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\ETD Security Scanner\ETD Security Scanner on the Web.lnk
* %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\ETD Security Scanner\ETD Security Scanner.lnk
* %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\ETD Security Scanner\Uninstall ETD Security Scanner.lnk
* %ProgramFiles%\ETD Security Scanner\ETD Security Scanner.ini
* %ProgramFiles%\ETD Security Scanner\ETDScanner.exe
* %ProgramFiles%\ETD Security Scanner\ETDScanner.url
* %ProgramFiles%\ETD Security Scanner\License Agreement.rtf
* %ProgramFiles%\ETD Security Scanner\Spywaredb.db
* %ProgramFiles%\ETD Security Scanner\unins000.dat
* %ProgramFiles%\ETD Security Scanner\unins000.exe
* %ProgramFiles%\ETD Security Scanner\vc1.dll
* %ProgramFiles%\ETD Security Scanner\vc2.dll

Note:
* %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
* %SystemDrive% is a variable that refers to the drive on which Windows is installed. By default, this is drive C.
* %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

2. Creates the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ETD Security Scanner_is1
HKEY_CURRENT_USER\Software\ETD Security Scanner
HKEY_CURRENT_USER\Software\myTopTools.com

Note: The registry key HKEY_CURRENT_USER\Software\myTopTools.com may be used by legitimate programs published by that website.

3. Adds the value:

"ETD Security Scanner" = " "%ProgramFiles%\ETD Security Scanner\ETDScanner.exe" /s "

to the registry subkey:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it runs every time Windows starts.

Affected

  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows XP

Response

The following instructions pertain to all Symantec antivirus products that support security risk detection.

1. Update the definitions.
2. Uninstall the security risk.
3. Run a full system scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube