Effects
SecurityEssentials2010 is an adware program that uses the same name as the Microsoft's free antimalware protection called Microsoft Security Essentials, in order to deceive users and make them think it is a Microsoft product.
It carries out the following actions:
- It reaches the computer in a file with the following icon:
- When it is run and installed, the interface of the program is displayed and starts scanning the system in search for possible malware:
- Once finished, it displays a warning message informing users that their computer is infected:
- If users follow the program's instructions, they will be redirected to a website where it can be purchased:
Additionally, SecurityEssentials2010 carries out several modifications in the Windows Registry of the affected computer, which have the following consequences:
- It disables the Task Manager, which would prevent the user from viewing the processes that are being run.
- It prevents users from changing the Desktop wallpaper.
Infection strategy
SecurityEssentials2010 creates a directory called Securityessentials2010 in the Program Files directory.
SecurityEssentials2010 creates the following files:
- SE2010.EXE,which is a copy of itself, in the folder Securityessentials2010 of the Program Files directory.
- SMSS32.EXE, WINLOGON32.EXE, 41.EXE, HELPERS32.DLL and WARNINGS.HTML, in the windows system directory.
- SECURITY ESSENTIALS 2010.LNK, in the Desktop and in the Start menu. This file is a shortcut to the program.
SecurityEssentials2010 creates the following entries in the Windows Registry:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Security essentials 2010 = C:\Program Files\Securityessentials2010\SE2010.exe - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
smss32.exe = %sysdir%\smss32.exe
where %sysdir% is the Windows system directory.
By creating these entries, SecurityEssentials2010 ensures that it is run whenever Windows is started. - HKEY_CURRENT_USER\Software\SE2010
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr = 1
It disables the Task Manager. - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ policies\ ActiveDesktop
NoChangingWallpaper - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoActiveDesktopChanges = 1 - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoSetActiveDesktop
By creating these entries, it does not allow users to change the Desktop wallpaper.
It also creates the following Windows Registry entries in order to add as trusted websites certain web pages from which this program can be downloaded:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-secu<blocked>sentials.com
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\downlo<blocked>ft-package.com
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\downloa<blocked>tware-package.com
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\get-k<blocked>-se10.com
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\is-softw<blocked>ownload.com
Means of transmission
SecurityEssentials2010 can reach the computer when the user accesses certain websites which display banners or pop-up windows which lead to the download of this program. It can also reach the computer in a link that can be received via spam messages, fraudulent websites, etc.
Further Details
SecurityEssentials2010 is 1,526,784 bytes in size.