Threat Description

Rogue: ​W32/SysGuard.D

Details

Category: Malware
Type: Rogue
Platform: W32
Aliases: Rogue:​W32/SysGuard.D, Rogue:​W32/SysGuard.E, Trojan-Downloader:W32/FraudPack.AB, Trojan.Win32.FraudPack.zyw, Trojan.Win32.FraudPack.zyb

Summary


Dishonest antivirus software which tricks users into buying or installing it, usually by infecting a user's computer, or by pretending the computer is infected.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


Rogue:W32/Sysguard is distributed by Trojan-Downloader:W32/FraudLoad.HK. While active, the rogue also occasionally displays popup advertisements and attempts to connect to a few remote sites.

Execution

During execution, the following files are added:

  • %temp%\571.exe
  • %localappdata%\[random folder name]\[4 random characters]sysguard.exe
  • %windir%\system32\iehelper.dll

While the following hosts files are modified, with the following contents:

  • 91.212.127.227 aviraplatinum2009.microsoft.com
  • 91.212.127.227 aviraplatinum2009.com
  • 91.212.127.227 www.aviraplatinum2009.com

OR

  • 91.212.127.227 antiviraprof2009.microsoft.com
  • 91.212.127.227 antiviraprof2009.com
  • 91.212.127.227 www.antiviraprof2009.com
Activity

Upon execution, SysGuard will start the scanning process, which looks like the following screenshot:

To pressure the user further, SysGuard prevents some programs from launching, then displays the following message alleging that the program is infected and asking the user to 'start your antivirus software':

While active, the rogue attempts to connect the following URLs:

  • https://91.212.[...].227/check
  • https://193.[...].12.51/check
  • https://aviraplatinum2009.com/[...].php?[...].1

From time to time, it will display popup ads to the following websites:

  • www.porno. com
  • www.adult. com
  • www.viagra. com
Registry Changes

The rogue makes the following changes to the Registry

  • [HKCR\CLSID\{B6D223F6-C185-49a2-BA7E-A03E84744702}] @="BHO"
  • [HKCR\CLSID\{B6D223F6-C185-49a2-BA7E-A03E84744702}\InProcServer32] @= C:\WINDOWS\system32\iehelper.dll" ThreadingModel="Apartment"
  • [HKLM\Software\Classes\CLSID\{B6D223F6-C185-49a2-BA7E-A03E84744702}] @="BHO"
  • [HKLM\Software\Classes\CLSID\{B6D223F6-C185-49a2-BA7E-A03E84744702}\InProcServer32] @="C:\WINDOWS\system32\iehelper.dll" ThreadingModel="Apartment"
  • [HKLM\Software\Software\Microsoft\Windows\CurrentVersion\run] {random_value}="%localappdata%\[random folder name]\[4 random characters]sysguard.exe"
  • [HKCU\Software\AvScan]
  • [HKCU\Software\Microsoft\Windows\CurrentVersion\run] {random_value}="%localappdata%\[random folder name]\[4 random characters]sysguard.exe"





SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More