1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Misleading Application WinXDefender Activity

System Infected: Misleading Application WinXDefender Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects activities of misleading application WinXDefender.

Additional Information

WinXDefender is a misleading application described as a spyware removal utility that may give exaggerated reports about potential risks on the computer.

The application reports a number of exaggerated reports on the computer.

The user is then prompted to pay for a full license of the application in order to remove the falsely reported threats.

Installation
When the program is execued, it creates the following files:
C:\Documents and Settings\[CURRENT USER]\Application Data\WinXDefender\base.dat
C:\Documents and Settings\[CURRENT USER]\Application Data\WinXDefender\base2.dat
C:\Documents and Settings\[CURRENT USER]\Application Data\WinXDefender\Desc.dat
C:\Documents and Settings\[CURRENT USER]\Desktop\WinXDefender.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WinXDefender\Purchase License.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WinXDefender\Start WinXDefender.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WinXDefender\Support Page.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WinXDefender\WinXDefender Uninstall.lnk
C:\Program Files\WinXDefender\Buy.url
C:\Program Files\WinXDefender\Help.url
C:\Program Files\WinXDefender\HowToBuy.txt
C:\Program Files\WinXDefender\License.txt
C:\Program Files\WinXDefender\Lng\English.lng
C:\Program Files\WinXDefender\Uninstall.exe
C:\Program Files\WinXDefender\WinXDefender.exe

Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"WinXDefender" = "C:\Program Files\WinXDefender\WinXDefender.exe"


Similar Security Risks
Magicantispy

Affected

  • Windows 98
  • Windows 95
  • Windows XP
  • Windows Me
  • Windows Vista
  • Windows NT
  • Windows Server 2003
  • Windows 2000

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube