1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP SaferScan Activity

HTTP SaferScan Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects activities of misleading application SaferScan.

Additional Information

When SaferScan is executed, it performs the following actions:

1. Creates the following files:

* %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\SaferScan\SaferScan.lnk
* %ProgramFiles%\SaferScan\SaferScan.exe
* %ProgramFiles%\SaferScan\uninstall.exe

Notes:
* %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
* %SystemDrive% is a variable that refers to the drive on which Windows is installed. By default, this is drive C.

2. Creates the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SaferScan
HKEY_LOCAL_MACHINE\SOFTWARE\SaferScan

3. Adds the value:

"SaferScan" = "%ProgramFiles%\SaferScan\SaferScan.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the risk runs every time Windows starts.

Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows XP

Response

The following instructions pertain to all Symantec antivirus products that support security risk detection.

1. Update the definitions.
2. Run a full system scan.
3. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube