Home / malwarePDF  

Rogue:W32/SysGuard.D


First posted on 17 November 2009.
Source: SecurityHome

Aliases :

There are no other names known for Rogue:W32/SysGuard.D.

Explanation :

Dishonest antivirus software which tricks users into buying or installing it, usually by infecting a user's computer, or by pretending the computer is infected.

Additional DetailsRogue:W32/Sysguard is distributed by Trojan-Downloader:W32/FraudLoad.HK. While active, the rogue also occasionally displays popup advertisements and attempts to connect to a few remote sites.

Execution

During execution, the following files are added:

  • %temp%571.exe   • %localappdata%[random folder name][4 random characters]sysguard.exe   • %windir%system32iehelper.dll
While the following hosts files are modified, with the following contents:

  • 91.212.127.227 aviraplatinum2009.microsoft.com   • 91.212.127.227 aviraplatinum2009.com   • 91.212.127.227 www.aviraplatinum2009.com
OR

  • 91.212.127.227 antiviraprof2009.microsoft.com   • 91.212.127.227 antiviraprof2009.com   • 91.212.127.227 www.antiviraprof2009.com
Activity

Upon execution, SysGuard will start the scanning process, which looks like the following screenshot:



To pressure the user further, SysGuard prevents some programs from launching, then displays the following message alleging that the program is infected and asking the user to 'start your antivirus software':



While active, the rogue attempts to connect the following URLs:

  • http://91.212.[...].227/check   • http://193.[...].12.51/check   • http://aviraplatinum2009.com/[...].php?[...].1
From time to time, it will display popup ads to the following websites:

  • www.porno. com   • www.adult. com   • www.viagra. com

Registry Changes

The rogue makes the following changes to the Registry

  • [HKCRCLSID{B6D223F6-C185-49a2-BA7E-A03E84744702}]
@="BHO"   • [HKCRCLSID{B6D223F6-C185-49a2-BA7E-A03E84744702}InProcServer32]
@= C:WINDOWSsystem32iehelper.dll"
ThreadingModel="Apartment"   • [HKLMSoftwareClassesCLSID{B6D223F6-C185-49a2-BA7E-A03E84744702}]
@="BHO"   • [HKLMSoftwareClassesCLSID{B6D223F6-C185-49a2-BA7E-A03E84744702}InProcServer32]
@="C:WINDOWSsystem32iehelper.dll"
ThreadingModel="Apartment"   • [HKLMSoftwareSoftwareMicrosoftWindowsCurrentVersion
un]
{random_value}="%localappdata%[random folder name][4 random characters]sysguard.exe"   • [HKCUSoftwareAvScan]   • [HKCUSoftwareMicrosoftWindowsCurrentVersion
un]
{random_value}="%localappdata%[random folder name][4 random characters]sysguard.exe"

Last update 17 November 2009

 

TOP

Malware :

Family: