You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

VolcanoSecuritySuite

 
Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

VolcanoSecuritySuite is an adware program that carries out the following actions:

  • It reaches the computer in a file with the following icon:

  • Then, the interface of the program is displayed, advising users to scan their computer in order to check if it is infected:

  • Once the scan is finished, users are informed that several threats have been detected in the system, and to remove them they are recommended to click on "Protect now" button:

  • Then, users will be redirected to a website where the antivirus solution can be purchased:

  • If users do not follow the recommendations of the program, several warning messages will be displayed, informing users about attacks against the computer. The following is some example:

 

On the other hand, VolcanoSecuritySuite carries out the actions below:

  • When users access the Google website through a certain IP address, they are redirected to websites where users are warned that their computer is infected or websites where false antiviruses can be purchased.
    The affected IP address is: 74.125.45.100 and the websites to which the are redirected are:
    4-open<blocked>inci.com
    securitysof    <blocked>payments.com
    www.secure    <blocked>payments.com
    www.getav    <blocked>now.com
  • It adds itself to the list of authorized applications by the Windows firewall, in order to avoid being blocked.
  • It prevents many files from being run which belong to antivirus programs or even false antivirus, so that the antivirus installed in the system cannot detect it and the false antivirus that could be installed cannot be run.

Infection strategy 

VolcanoSecuritySuite creates the following folders:

  • Volcano Security Suite, in the path C:\Documents and Settings\%username%\Application Data
  • Backup, in the path where the program has been run.
  • VSSSys, in the path where the program has been run and in the path C:\Documents and Settings\All Users\Application Data.
  • 4208c, in the path C:\Documents and Settings\All Users\Application Data.

 

VolcanoSecuritySuite creates the following files:

  • VSDC6.EXE, in the path C:\Documents and Settings\All Users\Application Data\4208c. This file is a copy of the original file.
  • 645655.REG663.MOFVOLCANO SECURITY SUITE.LNK and VSS.ICO, in the path where the program has been run.
  • WED.CFG, in the path C:\Documents and Settings\All Users\Application Data\WEDDSys.
  • 278.MOFWED.ICOWINDOWS ENTERPRISE DEFENDER.LNKVD952342.BD and VDAI.NTF, in the Desktop.
  • a group of programs in the Start menu called Volcano Security Suite, which contains several links.

 

VolcanoSecuritySuite modifies the HOSTS file in such a way that when users access the Google website through a certain IP address, they are redirected to websites warning users that the computer is infected or websites where fake antivirus can be purchased.

 

VolcanoSecuritySuite creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Volcano Security Suite = C:\Documents and Settings\All Users\Application Data\4208c\VSdc6.exe /s /d
    By creating this entry, VolcanoSecuritySuite ensures that it is run whenever Windows is started.
  • HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ SharedAccess\ Parameters\ FirewallPolicy\ StandardProfile\ AuthorizedApplications\ List
    %path in which the program has been run%\8a91d481af28374d4ff8b5f40e5d6005.exe = %path in which the program has been run%\8a91d481af28374d4ff8b5f40e5d6005.exe:*:Enabled:Volcano Security Suite
  • HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ SharedAccess\ Parameters\ FirewallPolicy\ StandardProfile\ AuthorizedApplications\List
    %path in which the program has been run%\8a91d481af28374d4ff8b5f40e5d6005.exe = %path in which the program has been run%\8a91d481af28374d4ff8b5f40e5d6005.exe:*:Enabled:Volcano Security Suite
    By creating these entries, the program adds itself to the list of authorized programs by the Windows firewall.

 

Additionally, it creates many entries in the Windows Registry which point to files belonging to antivirus programs or even fake antivirus in order to prevent them fom being run and to leave the computer unprotected.

One of the entries it creates is the following:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirus.exe
    Debugger = svchost.exe

Means of transmission 

VolcanoSecuritySuite can reach the computer when the user accesses certain websites which display banners or pop-up windows which lead to the download of this program. It can also reach the computer in a link that can be received via spam messages, fraudulent websites, etc.

Further Details  

VolcanoSecuritySuite is 2,603,521 bytes in size.