1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Misleading Application CrisysTecSentry Activity

System Infected: Misleading Application CrisysTecSentry Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects activities of misleading application CrisysTecSentry.

Additional Information

CrisysTecSentry is a misleading application that may give exaggerated reports about potential risks on the computer.

The program must be manually installed and executed.

The application reports a number of exaggerated reports on the computer.

The user is then prompted to pay for a full license of the application in order to remove the falsely reported threats.

Installation
When the program is execued, it creates the following files:
%UserProfile%\Desktop\CrisysTec Sentry 3.0.lnk
%UserProfile%\Start Menu\Programs\CrisysTec Sentry\CrisysTec Sentry Help file.lnk
%UserProfile%\Start Menu\Programs\CrisysTec Sentry\CrisysTec Sentry.lnk
%UserProfile%\Start Menu\Programs\CrisysTec Sentry\Uninstall CrisysTec Sentry.lnk
%ProgramFiles%\Critical Systems Technologies\CrisysTec Sentry\BSwap.exe
%ProgramFiles%\Critical Systems Technologies\CrisysTec Sentry\INSTALL.LOG
%ProgramFiles%\Critical Systems Technologies\CrisysTec Sentry\install.sss
%ProgramFiles%\Critical Systems Technologies\CrisysTec Sentry\Plugins\Extensions.plugin_example
%ProgramFiles%\Critical Systems Technologies\CrisysTec Sentry\Plugins\Extensions83.plugin
%ProgramFiles%\Critical Systems Technologies\CrisysTec Sentry\RestoreRegistry.reg
%ProgramFiles%\Critical Systems Technologies\CrisysTec Sentry\Sentry.chm
%ProgramFiles%\Critical Systems Technologies\CrisysTec Sentry\Sentry.exe
%ProgramFiles%\Critical Systems Technologies\CrisysTec Sentry\Uninstall.exe

Next, the program creates the following registry entry so that it executes whenever Window starts:
HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Run\"CrisysTec Sentry" = "C:\Program Files\Critical Systems Technologies\CrisysTec Sentry\Sentry.exe -Minimized"

It also creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{34BCE26E-D9F8-46CB-8A59-B473A14471F0}
HKEY_ALL_USERS\Software\Critical Systems Technologies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Critical Systems Technologies\CrisysTec Sentry\Uninstall.exe

The program also modifies the following entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\"(Default)" = "CrisysTec Protected Recycle Bin"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\LocalizedString\"(Default)" = "CrisysTec Protected Recycle Bin"

Affected

  • Windows 98
  • Windows 95
  • Windows XP
  • Windows Me
  • Windows Vista
  • Windows NT
  • Windows Server 2003
  • Windows 2000

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube