1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Rogue:W32/SysGuard.D

Rogue:W32/SysGuard.D

Name : Rogue:W32/SysGuard.D
Detection Names : Rogue:W32/SysGuard.D, Rogue:W32/SysGuard.E, Trojan-Downloader:W32/FraudPack.AB
Trojan.Win32.FraudPack.zyw, Trojan.Win32.FraudPack.zyb
Category:Malware
Type:Rogue
Platform:W32

Summary

Dishonest antivirus software which tricks users into buying or installing it, usually by infecting a user's computer, or by pretending the computer is infected.

Additional Details

Rogue:W32/Sysguard is distributed by Trojan-Downloader:W32/FraudLoad.HK. While active, the rogue also occasionally displays popup advertisements and attempts to connect to a few remote sites.


Execution

During execution, the following files are added:
 
  •  %temp%\571.exe
  •  %localappdata%\[random folder name]\[4 random characters]sysguard.exe
  •  %windir%\system32\iehelper.dll

While the following hosts files are modified, with the following contents:

  •  91.212.127.227 aviraplatinum2009.microsoft.com
  •  91.212.127.227 aviraplatinum2009.com
  •  91.212.127.227 www.aviraplatinum2009.com

OR

  •  91.212.127.227 antiviraprof2009.microsoft.com
  •  91.212.127.227 antiviraprof2009.com
  •  91.212.127.227 www.antiviraprof2009.com

Activity

Upon execution, SysGuard will start the scanning process, which looks like the following screenshot:



To pressure the user further, SysGuard prevents some programs from launching, then displays the following message alleging that the program is infected and asking the user to 'start your antivirus software':




While active, the rogue attempts to connect the following URLs:

  •   http://91.212.[...].227/check
  •   http://193.[...].12.51/check
  •   http://aviraplatinum2009.com/[...].php?[...].1

From time to time, it will display popup ads to the following websites:

  •   www.porno. com
  •   www.adult. com
  •   www.viagra. com


Registry Changes

The rogue makes the following changes to the Registry

  •  [HKCR\CLSID\{B6D223F6-C185-49a2-BA7E-A03E84744702}]
        @="BHO"
  •  [HKCR\CLSID\{B6D223F6-C185-49a2-BA7E-A03E84744702}\InProcServer32]
        @=    C:\WINDOWS\system32\iehelper.dll"
        ThreadingModel="Apartment"
  •  [HKLM\Software\Classes\CLSID\{B6D223F6-C185-49a2-BA7E-A03E84744702}]
        @="BHO"
  •  [HKLM\Software\Classes\CLSID\{B6D223F6-C185-49a2-BA7E-A03E84744702}\InProcServer32]
        @="C:\WINDOWS\system32\iehelper.dll"
        ThreadingModel="Apartment"
  •  [HKLM\Software\Software\Microsoft\Windows\CurrentVersion\run]
        {random_value}="%localappdata%\[random folder name]\[4 random characters]sysguard.exe"
  •  [HKCU\Software\AvScan]
  •  [HKCU\Software\Microsoft\Windows\CurrentVersion\run]
        {random_value}="%localappdata%\[random folder name]\[4 random characters]sysguard.exe"