1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP Fake AV Installers Activity

HTTP Fake AV Installers Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects activities of misleading application XPShield communicating and requesting information from its controlling server.

Additional Information

XPShield is a misleading application that may give exaggerated reports of threats on the computer.

When the program is executed, it creates the following files:

* %UserProfile%\Desktop\XP-Shield.lnk
* %UserProfile%\Local Settings\Temp\XPShieldSetup.exe
* %UserProfile%\Start Menu\Programs\XPShield\XP-Shield Web Site.lnk
* %UserProfile%\Start Menu\Programs\XPShield\XP-Shield.lnk
* %ProgramFiles%\XPShield\INSTALL.LOG
* %ProgramFiles%\XPShield\UNWISE.EXE
* %ProgramFiles%\XPShield\XP-Shield Web Site.url
* %ProgramFiles%\XPShield\XP-Shield.exe


Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Run\"XPShield" = "%ProgramFiles%\XPShield\XP-Shield.exe"

It also creates the following registry subkeys:

* HKEY_ALL_USERS\Software\XPShield
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XP-Shield

Affected

  • Windows 98
  • Windows 95
  • Windows XP
  • Windows Me
  • Windows Vista
  • Windows NT
  • Windows Server 2003
  • Windows 2000

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube