You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard

LivePcCare

 
Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

LivePcCare is an adware program that carries out the following actions:

  • It reaches the computer through several malicious links from which it downloads the program. When users access any of these links, an interface is displayed simulating a system scan to know if the computer is infected.
  • The interface has the following appearance:

    Interface displayed
  • Once finished, it displays deceitful infection results and recommends users to disinfect the computer.
  • In order to do so, it downloads a file with the following icon:

    Icon with which LivePcCare reaches the computer
  • If users run the file, the program will start the installation process:

    Installation process of LivePcCare
  • Then, it starts to carry out a system scan in search for possible malware and displays fake infection results:

    Results of the scan carried out by LivePcCare
  • If users decide to remove these threats, they are redirected to a website where to purchase the product:

    Website to purchase LivePcCare

Infection strategy 

LivePcCare creates the following folders:

  • LPEIBWICG, in the Program Files directory.
  • d0daa65, in the path C:\Documents and Settings\All Users\Application Data.

 

LivePcCare creates a copy of the program called LPD0DA.EXE.EXE, in the folder d0daa65, creared by itself in the path C:\Documents and Settings\All Users\Application Data.

 

LivePcCare modifies the HOSTS file in such a way that when users access the website of certain searchers, like Google, they are redirected to websites warning users that the computer is infected or websites where fake antivirus can be purchased.

 

LivePcCare creates the following entry in the Windows Registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Live PC Care = C:\Documents and Settings\All Users\Application Data\d0daa65\LPd0da.exe /s /d
    By creating this entry, LivePcCare ensures that it is run whenever Windows is started.

 

Additionally, it creates many entries in the Windows Registry which point to files belonging mainly to antivirus programs in order to prevent them fom being run and to leave the computer unprotected.

Means of transmission 

LivePcCare uses BlackHat SEO techniques to infect as many computers as possible. When uses do searches in Google related to the Nexus One (Google's mobile phone), the earthquake in Haiti or the fake Johnny Depp's death, the first results show certain links that seem to point to legitimate websites. However, when users follow any of these links, they are redirected to a website which carries out a scan of the system and warns them that the computer is infected.

The following image (click on the image to make it bigger) is an example of the malicious results displayed whrn users do certain searches:

Resultados de busqueda relacionada con el Nexus One

 

 

Note: SEO stands for Search Engine Optimization. Basically, it refers to techniques used to improve the positioning of web pages in search engines (Yahoo, Google, etc). BlackHat SEO refers specifically to the use of SEO techniques by cyber-criminals to promote their web pages.

Further Details  

LivePcCare is 246,272 bytes in size.