You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard

SecurityTool

 
Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

SecurityTool is an adware program that carries out the following actions:

  • It reaches the computer in a file with the following icon:

    SecurityTool icon
  • When it is run and installed, the interface of the program is displayed and starts scanning the system in search for possible malware:

    SecurityTool interface
  • Once finished, it displays a warning message informing users that their computer is infected:

     Alert message displayed by SecurityTool
  • If users follow the program's instructions, the user will be redirected to a website where it can be purchased:

    Website to purchase SecurityTool 
  • If users do not follow the program's instrructions and once the computer is restarted, it carries out these other actions:
    - It prevents the executable files from being run. When users attempt to run any of them, the following message is displayed on screen:

    Alert message displayed by SecurityTool

    - It hides the icons of the Desktop, leaving it this way:

    Appearance of the Desktop in a computer infected by SecurityTool
  • This way, users cannot continue working with the computer.

Infection strategy 

SecurityTool creates a directory consisting of random digits in the folder Application Data of the Documents and Settings directory.

SecurityTool creates the following files:

  • a file with an EXE and a BAT extension with the same name as the directory created by the program in the folder  Application Data of the Documents and Settings directory.
  • SECURITY TOOL.LNK, in the option Programs of the Start menu.

 

SecurityTool creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\%random name%
    where %random name% is the same as the name of the directory and files previously mentioned.
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    %random name% = C:\Documents and Settings\All Users\Application Data\%random name of the directory%\%random name of the file%.EXE
    By creating this entry, SecurityTool ensures that it is run whenever Windows is started.

Means of transmission 

SecurityTool can reach the computer when the user accesses certain websites which display banners or pop-up windows which lead to the download of this program. It can also reach the computer in spam messages that contain attached files or links that point to the download of this program and that seems to have been sent by Microsoft or Facebook, among others.

Additionally, we have detected several BlackHat SEO attacks (see Note below) in order to distribute this fake antivirus which used topics like the earthquake in Haiti, Google's Nexus One and the death of celebrities, among others.

 

Note:
SEO stands for Search Engine Optimization. Basically, it refers to techniques used to improve the positioning of web pages in search engines (Yahoo, Google, etc.). BlackHat SEO refers specifically to the use of SEO techniques by cyber-criminals to promote their web pages.

Further Details  

SecurityTool is 1,045,504 bytes in size.

>