1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Misleading Application UltimateDefender Activity

System Infected: Misleading Application UltimateDefender Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects activities of misleading application UltimateDefender.

Additional Information

UltimateDefender is a misleading application that may give exaggerated reports of threats on the computer.

The misleading application must be manually executed. When the file is executed, it visibly downloads the install files, but then silently installs them.

The misleading application identifies the fake threat Trojan.MetaMorf.F as present on the computer.

The detected files may be associated with the download and installation of UltimateDefender.

The user is then prompted to pay for a full license of the application in order to remove the fake threat.


Installation
The risk creates the following files:
%UserProfile%\Application Data\Ultimate Defender\logs\1184156634.log
%UserProfile%\Start Menu\Programs\Startup\.protected
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\.protected
C:\Documents and Settings\All Users\Start Menu\Programs\Ultimate Defender\Ultimate Defender Uninstall.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Ultimate Defender\Ultimate Defender.lnk
%ProgramFiles%\Ultimate Defender\program.info
%ProgramFiles%\Ultimate Defender\udefender.pkg
%ProgramFiles%\Ultimate Defender\UltimateDefender.db
%ProgramFiles%\Ultimate Defender\UltimateDefender.exe
%ProgramFiles%\Ultimate Defender\Uninstall.exe
%System%\drivers\etc\.protected
%Windir%\.protected
%SystemRoot%\.protected

The risk also creates the following registry subkeys:
HKEY_ALL_USERS\Software\Ultimate Defender
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ultimate Defender
HKEY_LOCAL_MACHINE\SOFTWARE\Ultimate Defender
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ultimate Defender

Affected

  • Windows 98
  • Windows 95
  • Windows XP
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows 2000

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube