When a DVD containing SecurityRisk.Settec is run, the clean autorun installer performs the following actions:
- Creates the following files:
- Displays the following message, which is an End User License Agreement:
- Creates and executes the following files, if the user agrees to install the protection action:
- %System%\[RANDOM FILE NAME].exe
- A copy of %System%\[RANDOM FILE NAME].exe is also present on the DVD protected by Settec Alpha-DVD as alpha.dat. This file will be detected by the Symantec antivirus program every time a DVD protected by Settec Alpha-DVD is inserted into the DVD drive. The file cannot be deleted by the Symantec antivirus program as the DVD drive is a read-only media.
- Warning messages may be displayed by the Symantec antivirus program every time one of the above files is accessed. Users will be able to view the DVD as normal using any DVD player application.
Once SecurityRisk.Settec is installed on the computer, it performs the following actions:
- Adds the value:
"SystemManager" = "%SYSTEM%\[RANDOM FILE NAME].EXE"
to the registry subkey:
so that the risk starts every time Windows starts.
- Uses user-mode rootkit techniques to hide its executable file from the processes list.
Note: This can be exploited by malware to hide any malicious processes.
- Uses user-mode rootkit techniques to prevent access to files in the following folders on the DVD drive:
- This rootkit technology can also be used by malware to block access malicious files placed in the above folders, both on the DVD drive and on the hard drive of the computer.
- A malicious attacker could also exploit this rootkit technology by creating a CD or DVD containing malicious files in the above folders. These files can not be viewed on the computer but they can be executed.
- Hooks and filters the following critical system APIs, which are used for communication with DVD and CD drives:
Note: This may cause a degradation in performance.
- Prevents certain legitimate programs that use the file ElbyCDIO.DLL from accessing the DVD drive. The following are some examples of programs that are prevented from accessing the DVD drive:
The following message may be displayed if the AnyDVD program attempts to access the DVD drive:
Title: AnyDVD Ripper
Body: AnyDVD is not currently active for drive E:!
- Prevents certain legitimate programs from accessing and reading information from the DVD drive. The following are some examples of programs that are prevented from accessing the DVD drive:
- DVDFab Express
- DVD Decrypter
The following message may be displayed if the DVD Decrypter program attempts to access the DVD drive:
Body: Get DVD information fail. 4100
- Warning messages will be displayed by the Symantec antivirus program every time the DVD protected by Settec Alpha-DVD is accessed. To view the DVD without the warning messages it is necessary to either run a scan using the Symantec antivirus program or to download an updated version of the software.