Threat Description

Rogue:​W32/SysGuard.D

Details

Aliases:Rogue:​W32/SysGuard.D, Rogue:​W32/SysGuard.E, Trojan-Downloader:W32/FraudPack.AB, Trojan.Win32.FraudPack.zyw, Trojan.Win32.FraudPack.zyb
Category:Malware
Type:Rogue
Platform:W32

Summary



Dishonest antivirus software which tricks users into buying or installing it, usually by infecting a user's computer, or by pretending the computer is infected.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



Rogue:W32/Sysguard is distributed by Trojan-Downloader:W32/FraudLoad.HK. While active, the rogue also occasionally displays popup advertisements and attempts to connect to a few remote sites.

Execution

During execution, the following files are added:

  • %temp%\571.exe
  • %localappdata%\[random folder name]\[4 random characters]sysguard.exe
  • %windir%\system32\iehelper.dll

While the following hosts files are modified, with the following contents:

  • 91.212.127.227 aviraplatinum2009.microsoft.com
  • 91.212.127.227 aviraplatinum2009.com
  • 91.212.127.227 www.aviraplatinum2009.com

OR

  • 91.212.127.227 antiviraprof2009.microsoft.com
  • 91.212.127.227 antiviraprof2009.com
  • 91.212.127.227 www.antiviraprof2009.com

Activity

Upon execution, SysGuard will start the scanning process, which looks like the following screenshot:

To pressure the user further, SysGuard prevents some programs from launching, then displays the following message alleging that the program is infected and asking the user to 'start your antivirus software':

While active, the rogue attempts to connect the following URLs:

  • http://91.212.[...].227/check
  • http://193.[...].12.51/check
  • http://aviraplatinum2009.com/[...].php?[...].1

From time to time, it will display popup ads to the following websites:

  • www.porno. com
  • www.adult. com
  • www.viagra. com

Registry Changes

The rogue makes the following changes to the Registry

  • [HKCR\CLSID\{B6D223F6-C185-49a2-BA7E-A03E84744702}] @="BHO"
  • [HKCR\CLSID\{B6D223F6-C185-49a2-BA7E-A03E84744702}\InProcServer32] @= C:\WINDOWS\system32\iehelper.dll" ThreadingModel="Apartment"
  • [HKLM\Software\Classes\CLSID\{B6D223F6-C185-49a2-BA7E-A03E84744702}] @="BHO"
  • [HKLM\Software\Classes\CLSID\{B6D223F6-C185-49a2-BA7E-A03E84744702}\InProcServer32] @="C:\WINDOWS\system32\iehelper.dll" ThreadingModel="Apartment"
  • [HKLM\Software\Software\Microsoft\Windows\CurrentVersion\run] {random_value}="%localappdata%\[random folder name]\[4 random characters]sysguard.exe"
  • [HKCU\Software\AvScan]
  • [HKCU\Software\Microsoft\Windows\CurrentVersion\run] {random_value}="%localappdata%\[random folder name]\[4 random characters]sysguard.exe"





SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More