We are assisting nowadays at a proliferation of the fake antiviruses, the things flows as in a bourse depending on demands and offers. More and more advanced new computer viruses come out everyday, people hear about them and as a result there is an increased demand for antivirus software, a good thing maybe you will say but that’s exactly the thing that malefic virus creators tries to speculate. So, I think it’s a good idea to talk about XP Home Security 2011 fake antivirus removal.
Spreading fake antiviruses, fake antimalware or fake antispyware become a profitable business. It’s about the same family of fake antiviruses even if the names differs : Best Antivirus 2011, Internet Security 2010, XP antivirus 2011, Vista antivirus 2011, Windows Antivirus 2011, XP Home Security 2011 or other names, it does not matter, there are a lot of similarities between them for example all of them uses Java scripts to imitate Windows explorer in a browser frame and to scare the victims by generating a lot of fake security alerts. A download link for a presumably antivirus is insistently offered, in reality this is a virus or a suite of viruses packed in an executable file so it’s strongly recommended to never run these kind of programs unless you want a deep computer infection.
What is following is interesting: because the browsers developers improved the speed of blocking the malicious domains once them are reported, the malware creators react by using wildcard domains with a very short span of life, order of hours. Free domains registration services as http://www.free-domains.ce.ms/ (*.ce.ms sub domains) or http://www.nic.cz.cc/ (*.cz.cc sub domains) are widely used by malware creators to set their malicious domains. It seems that these sub domains are created automatically using specific tools(bots).
A few days ago there was a real offensive when some poisoned Google Images were leading to malicious domains hosting fake antiviruses such as Security Center 2011 fake antivirus (InstallSecurityCenter_730.exe it’s the name of the file but the last numbers may differ from download to download), here is the virustotal.com analysis for it, proudly showing a detection rate of 6 /40 (15.0%) — “Congratulations!” to real antivirus software vendors for quick response to new threats.
This fake antivirus appears as a Google Chrome Security warning stating that the computer is infected with viruses. Also drive-by downloads were detected analysing these web pages.
How are looking these malicious links? Here are a few of them :
hxxp://hozelgen.ce.ms/index.php?Q2PhHtRybTBGMnrVM+tNsStmB3e7mWPwrfL++hAX57iCFCA5iL8+KgPj4ozs/Vjes4+luy68ERoyu5ymps7Mi1rxO2iMmuAWP19RAgyw6f4=
hxxp://sastole.ce.ms/index.php?QxfhCNQgbVdGR3r4M0xNXiuPBcW7kGOUrZ/+gBBY53iCuiCiiA0+LQMO4h3saFhTs/ul4C6ZEZQxoZxrpQ3KDFWGO1+MpeDoP09R9Qxf6dc
hxxp://folkerson.ce.ms/index.php?Q+XhVdSCbRZG8nonM9tN2CuDBci71GOwrXT+exAC51GC5iBZiNA+dANC4uLsK1gJswelmy49EZkxM5VjpavCjVXEOweM5eDFPzxRzQy66fs=
The vast majority of these domains are now blocked by the browsers in-built security. Other domains are still not blocked for example:
http://ndidrsjt.cz.cc/fast-scan/
The above images are taken from a visit to this site, which offer BestAntivirus2011.exe for downloading (MD5: 568B8BDDB6D30D0D5816978F0BB4D806) –in fact it will install XP Home Security 2011 fake antivirus , let’s see the virustotal.com analysis here, the detection rate is a poor score: 7/ 43 (16.3%), big antivirus names simply miss it with elegance. There were reports that the malicious web sites offers fake antivirus software matching the name of the operating system Windows version. Amongst all the data sent by the browse to the server, it sends also the operating system version. For example if someone is using Windows Vista then the fake antivirus has the name Vista Antivirus 2011.
A short Domain to Location check reveals that this web site is hosted in Romania.
IP address: 95.64.48.130
Host name: ndidrsjt.cz.cc
City: Blaj
Region: Alba
Country Name: Romania
Country Code: RO
However the results of analysis for XP Home Security 2011 fake antivirus are fascinating considering the damages it does to the system. The analysis was performed as usual running a sandboxed browser with Buster Sandbox Analyzer module. First, let’s see where is connects, it’s a long list :
* Connects to “209.160.73.78” on port 80.
* Connects to “209.61.253.26” on port 80.
* Connects to “85.17.167.4” on port 80.
* Connects to “209.159.151.215” on port 80.
* Connects to “72.9.109.20” on port 80.
* Connects to “66.160.196.218” on port 80.
* Connects to “31.214.132.4” on port 80.
* Connects to “206.53.55.81” on port 80.
* Connects to “208.85.18.156” on port 80.
* Connects to “208.85.18.154” on port 80.
* Connects to “72.9.109.19” on port 80.
* Connects to “85.17.167.30” on port 80.
* Connects to “67.227.164.75” on port 80.
* Connects to “66.160.196.220” on port 80.
* Connects to “67.227.164.76” on port 80.
* Connects to “31.214.132.3” on port 80.
* Connects to “96.127.136.170” on port 80.
* Connects to “66.160.196.219” on port 80.
* Connects to “75.125.218.222” on port 80.
* Connects to “96.127.136.172” on port 80.
* Connects to “85.17.167.1” on port 80.
* Connects to “72.9.109.18” on port 80.
* Connects to “31.214.132.2” on port 80.
* Connects to “209.159.151.221” on port 80.
* Connects to “208.85.18.155” on port 80.
* Connects to “96.127.136.171” on port 80.
* Connects to “209.159.151.238” on port 80.
* Connects to “173.192.192.13” on port 80.
* Connects to “207.46.232.182” on port 80.
* Connects to “api.mywot.com” on port 80.
* Connects to “127.0.0.1” on port 5490.
* Connects to “83.145.197.2” on port 443.
* Connects to “zelokovixoqe.com” on port 80.
* Connects to “199.7.48.190” on port 80.
* Connects to “83.145.197.2” on port 80.
* Connects to “urs.microsoft.com” on port 80.
* Connects to “213.199.177.155” on port 443.
* Connects to “64.18.20.10” on port 80.
* Connects to “81.196.26.184” on port 80.
Let’s see a few screenshots of XP Home Security 2011, it looks very convincing:
And the “buying” page for XP Home Security 2011 fake antivirus :
XP Home Security 2011 fake antivirus drops in %Application Data% folder two hidden files, hbu.exe -MD5: 568B8BDDB6D30D0D5816978F0BB4D806 and a system file with a random name, in this case it was t073h1i536syn3l78rmw0ere5h4 -MD5: 6C4229E907EEEE99BEDAA804ACBD0F3F, being a system file it has no extension. Also this system file is dropped in %Temp% folder.
This malware, XP Home Security 2011 fake antivirus, also drop in The Temporary Internet Files folder a file named SuggestedSites.dat with references to a lot of other sites to be promoted by it, perhaps malforming the search engines results. Next analysis results are suggesting modifications of visited web pages performed in the background “on the fly”, deformations of the search engines results, redirecting to other web pages than intended and even a manipulation of WOT(World Of Trust websites ranking system), all these modifications are made in the registry :
The following registry entries report created by Buster Sandbox Analyzer(BSA) shows what registry values are added by XP Home Security 2011 fake antivirus, these values must be deleted to prevent malware autostart at next computer reboot:
* Creates value “=exefile” in key HKEY_CURRENT_USER\software\classes\.exe
* Creates value “Content Type=application/x-msdownload” in key HKEY_CURRENT_USER\software\classes\.exe
* Creates value “=%1” in key HKEY_CURRENT_USER\software\classes\.exe\DefaultIcon
* Creates value “=”C:\Documents and Settings\Administrator\Local Settings\Application Data\hbu.exe” -a “%1″ %*” in key HKEY_CURRENT_USER\software\classes\.exe\shell\open\command
* Creates value “IsolatedCommand=”%1″ %*” in key HKEY_CURRENT_USER\software\classes\.exe\shell\open\command
* Creates value “=”%1″ %*” in key HKEY_CURRENT_USER\software\classes\.exe\shell\runas\command
* Creates value “IsolatedCommand=”%1″ %*” in key HKEY_CURRENT_USER\software\classes\.exe\shell\runas\command
* Creates value “=Application” in key HKEY_CURRENT_USER\software\classes\exefile
* Creates value “Content Type=application/x-msdownload” in key HKEY_CURRENT_USER\software\classes\exefile
* Creates value “=%1” in key HKEY_CURRENT_USER\software\classes\exefile\DefaultIcon
* Creates value “=”C:\Documents and Settings\Administrator\Local Settings\Application Data\hbu.exe” -a “%1″ %*” in key HKEY_CURRENT_USER\software\classes\exefile\shell\open\command
* Creates value “IsolatedCommand=”%1″ %*” in key HKEY_CURRENT_USER\software\classes\exefile\shell\open\command
* Creates value “=”%1″ %*” in key HKEY_CURRENT_USER\software\classes\exefile\shell\runas\command
* Creates value “IsolatedCommand=”%1″ %*” in key HKEY_CURRENT_USER\software\classes\exefile\shell\runas\command
XP Home Security 2011 fake antivirus removal instructions are :
– Stop from Task Manager the hbu.exe process. The name may differ, it’s a random three letters name, search for what is looking suspicious in the processes;
– Delete hbu.exe(remember it’s a random name) from *\Local Settings\Application Data\* folder. The file is hidden, set your options to view hidden and protected operating system files;
– Delete t073h1i536syn3l78rmw0ere5h4 from %\All Users\Application Data\% , %username\Local Settings\Application Data\% , %username\Local Settings\Temp% and %username\Templates\% folders. Be aware the file is marked as a protected operating system file also hidden;
– Delete HKEY_CURRENT_USER\software\AppDataLow\Software\Against Intuition registry key;
– Delete the above registry values created by the virus (colored in orange);
– Enable the real Windows Security Center notifications;
– Check the firewall allowed exceptions;
It’s obvious for anyone that installing a fake antivirus like XP Home Security 2011 fake antivirus lead to serious troubles towards your computer security as receiving unwanted ads, a slow Internet connection and a slow computer, the real possibility to have compromised your credit card details or your online accounts.
XP Home Security 2011 fake antivirus removal instructions presented here can be applied by an experienced computer user. If you think you are not able to remove this virus manually, then better don’t try, just install a powerful Internet security solution as Kaspersky Internet Security and let it do its job.
Keep safe !
Leave a Reply