1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Misleading Application MalwareDestructor Activity

System Infected: Misleading Application MalwareDestructor Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects activities of misleading application MalwareDestructor.

Additional Information

MalwareDestructor is a misleading application that may give exaggerated reports about potential risks on the computer.

This misleading application must be manually installed.

The program gives a number of exaggerated reports about potential risks on the computer.

The user is then prompted to pay for a full license for the application in order to remove the errors.

Installation
When the program is executed, it creates the following folder:
C:\Program Files\MalwareDestructor\Logs

It then creates the following files:

* C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\MalwareDestructor 4.5.lnk
* C:\Documents and Settings\Administrator\Desktop\MalwareDestructor 4.5.lnk
* C:\Documents and Settings\Administrator\Start Menu\Programs\MalwareDestructor\MalwareDestructor 4.5 Un-Installer.lnk
* C:\Documents and Settings\Administrator\Start Menu\Programs\MalwareDestructor\MalwareDestructor 4.5 Website.lnk
* C:\Documents and Settings\Administrator\Start Menu\Programs\MalwareDestructor\MalwareDestructor 4.5.lnk
* C:\Documents and Settings\Administrator\Start Menu\MalwareDestructor 4.5.lnk
* C:\Program Files\MalwareDestructor\001.dat
* C:\Program Files\MalwareDestructor\002.dat
* C:\Program Files\MalwareDestructor\003.dat
* C:\Program Files\MalwareDestructor\004.dat
* C:\Program Files\MalwareDestructor\005.dat
* C:\Program Files\MalwareDestructor\006.dat
* C:\Program Files\MalwareDestructor\007.dat
* C:\Program Files\MalwareDestructor\008.dat
* C:\Program Files\MalwareDestructor\009.dat
* C:\Program Files\MalwareDestructor\DbgHelp.Dll
* C:\Program Files\MalwareDestructor\Logs\shield_activity-09072007-093756.log
* C:\Program Files\MalwareDestructor\MalAntiSpam.dll
* C:\Program Files\MalwareDestructor\MalwareDestructor.EXE
* C:\Program Files\MalwareDestructor\MalwareDestructor.log
* C:\Program Files\MalwareDestructor\MalwareDestructor.url
* C:\Program Files\MalwareDestructor\msvcp71.dll
* C:\Program Files\MalwareDestructor\msvcr71.dll
* C:\Program Files\MalwareDestructor\Plugins\DesktopManager\DesktopManager.dll
* C:\Program Files\MalwareDestructor\Plugins\DesktopManager\Languages\English.ini
* C:\Program Files\MalwareDestructor\Plugins\DesktopManager\Languages\Spanish.ini
* C:\Program Files\MalwareDestructor\Plugins\StartupEditor\Languages\English.ini
* C:\Program Files\MalwareDestructor\Plugins\StartupEditor\Languages\Spanish.ini
* C:\Program Files\MalwareDestructor\Plugins\StartupEditor\StartupEditor.dll
* C:\Program Files\MalwareDestructor\settings.ini
* C:\Program Files\MalwareDestructor\uninst.exe



Next, the program creates the following registry subkeys:

* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\MalWareDestruct.EXE
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\spamdet.DLL
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{9DA1990B-9BCA-4c80-AEFB-11A40FA849F9}
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{C628512D-A058-4BD4-B47B-B036F45FA02B}
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{16DD131D-C09F-4F83-A1E7-A2CF506EA27C}
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{69EBF0DB-F6B5-4479-8352-AA632F522D34}
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C1530BD-16B0-41A9-B428-17EE8CBD3E06}
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9EC61371-C3B9-FCC1-EE6F-2E4E8D12DFFC}
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A301FAB7-0853-9F4D-BA0D-BE2F421E5A18}
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D0367D41-1C19-4e98-8F5D-006213C5B1BB}
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{214345B8-BB69-498D-A168-29F58F15D806}
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3E67E9DC-7294-44C3-BC99-EA6E29E74076}
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4ED5E198-E576-4676-93B8-2C401D1A67D0}
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C1530BD-16B0-41A9-B428-17EE8CBD3E06}
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D59B2DD5-0609-4BDC-AB47-A9A28ABC482A}
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B60F5AFA-EDD2-417D-A438-57F3EBD9E639}
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F8FF4547-4FA4-4FEA-B689-7190C2A40364}
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ExpertAntivirus.Addin
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ExpertAntivirus.Addin.1
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MalWareDestruct.Server
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MalWareDestruct.Server.1
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\spamdet.SpamDetector
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\spamdet.SpamDetector.1
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MalwareDestructor
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MalwareDestructor
* HKEY_LOCAL_MACHINE\SOFTWARE\MalwareDestructor




Affected

  • Windows 98
  • Windows 95
  • Windows XP
  • Windows Me
  • Windows Vista
  • Windows NT
  • Windows Server 2003
  • Windows 2000

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube