You're in: Panda Security > IT Security for Business > security-info > about-malware > encyclopedia > overview

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

WinEnterpriseDefender
Threat LevelDamageDistribution

At a glance Tech details Solution

Effects

WinEnterpriseDefender is an adware program that carries out the following actions:

Once installed, it creates an icon in the Desktop and a link to access directly to the program:
Then, the interface pf the program is displayed, advising users to scan their computer in order to check if it is infected:
Once the scan is finished, users are informed that several threats have been detected in the system, and to remove them they are recommended to click on "Proteger ahora" (Protect now) button:
Then, users will be redirected to a website where the antivirus solution can be purchased:
If users do not follow the recommendations of the program, several warning messages will be displayed, informing users about attacks against the computer. The following are some examples:

On the other hand, WinEnterpriseDefender carries out the actions below:

It redirects the search websites to the web page http://search<blocked>ala.com, which displays results selected by the cyber-crook.
It adds itself to the list of authorized applications by the Windows firewall, in order to avoid being blocked.
It ends the processes belonging to the antivirus programs that are active.

Infection strategy

WinEnterpriseDefender creates the following folders:

WEDDSys, in the Desktop and in the path C:\Documents and Settings\All Users\Application data
9e52d, in the path C:\Documents and Settings\All Users\Application data

WinEnterpriseDefender creates the following files:

WE7D0.EXE, in the path C:\Documents and Settings\All Users\Application data\9e52d.
WED.CFG, in the path C:\Documents and Settings\All Users\Application data\WEDDSys.
278.MOF, WED.ICO, WINDOWS ENTERPRISE DEFENDER.LNK, VD952342.BD and VDAI.NTF, in the Desktop.
WINDOWS ENTERPRISE DEFENDER.LNK, in the path C:\Documents and Settings\%username%\Application data\Microsoft\Internet Explorer\Quick Launch
a group of programs in the Start menu called Windows Enterprise Defender, which contains several links.

WinEnterpriseDefender modifies the HOSTS file, so that the user cannot access search websites.

WinEnterpriseDefender creates the following entries in the Windows Registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Enterprise Defender = C:\Documents and Settings\All Users\Application data\9e52d\WE7d0.exe /s /d
By creating this entry, WinEnterpriseDefender ensures that it is run whenever Windows is started.
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes
URL = http://search-gala.com/?&uid=7&q={searchTerms}
By creating this entry, it redirects the search websites to a certain searcher.
HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ SharedAccess\ Parameters\ FirewallPolicy\ StandardProfile\ AuthorizedApplications\ List
%path in which the program has been run%\00015289-0001.WEf82d.exe = %path in which the program has been run%\00015289-0001.WEf82d.exe:*:Enabled:Windows Enterprise Defender
It adds itself to the list of authorized programs by the Windows firewall.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Debugger = svchost.exe
By creating this entry, it ends all the processes belonging to antivirus programs.

Means of transmission

WinEnterpriseDefender can reach the computer when the user accesses certain websites which display banners or pop-up windows which lead to the download of this program. It can also reach the computer in a link that can be received via spam messages, fraudulent websites, etc.

Further Details

WinEnterpriseDefender is 2,228,224 bytes in size.

Resources for Partners