The Emsi Software malware research team has discoverd a new outbreak of the Cyber Security adware. a-squared Anti-Malware detects this malware as Adware.Win32.CyberSecurity.

Cyber Security is an new rogue scanner program. It show misleading scan results, and fake security alerts to convince the user that their computer infected with malware. The author of Cyber Security is still the same as that made TotalSecurity (Adware.Win32.TotalSecurity). To more convince users, Cyber Security will also create numerous files on your computer that will be detected as malware when the program scans your computer, but will not allow you to remove them until you purchase it. And also, Cyber Security will install new BHO (Browser Helper Objects) on victim machine.

This rogue scanner has the ability to avoid Virtual Machine, of course the goal is to make analysis more difficult.

When running on a virtual environment, Cyber Security will display a fake error message like this:

After bypassing the VM protection, this application will download the main rogue application from this address:

Create new files:

• %AllUsersProfile%\Start Menu\CS\Computer Scan.lnk
• %AllUsersProfile%\Start Menu\CS\Cyber Security.lnk
• %AllUsersProfile%\Start Menu\CS\Help.lnk
• %AllUsersProfile%\Start Menu\CS\Registration.lnk
• %AllUsersProfile%\Start Menu\CS\Security Center.lnk
• %AllUsersProfile%\Start Menu\CS\Settings.lnk
• %AllUsersProfile%\Start Menu\CS\Update.lnk
• %AppData%\Microsoft\Internet Explorer\Quick Launch\CS.lnk
• %UserProfile%\Desktop\Cyber Security.lnk
• %ProgramFiles%\Common Files\CSUninstall
• %ProgramFiles%\Common Files\CSUninstall\Uninstall.lnk
• %ProgramFiles%\CS\cs.exe
• %SystemRoot%\system32\iehelpmod.dll

Create new registry entries:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\uninstall\CS
• HKEY_CLASSES_ROOT\CLSID\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, CS

Malware screenshots:

How to remove the infection of Adware.Win32.CyberSecurity?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Tags: Rogue, Security, Total

This entry was posted on Wednesday, October 14th, 2009 at 09:36 and is filed under Malware Alerts, Removal Help. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.