You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard

DesktopSecurity2010

 
Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

DesktopSecurity2010 is an adware program that has a particular feature that makes it different from other fake antivirus programs, as when it displays certain alert messages, a female voice says the following:

NEW VIRUS FOUND

Additionally, in order to make users think that their computer is really infected, from time to time the screen fades to black and other times blinks with different colours.

DesktopSecurity2010 carries out the following actions:

  • It reaches the computer in a file with the following icon:

    Icon with which it reaches the computer
  • When users run this file, the following installation window is displayed:

    Installation window of DesktopSecurity2010
  • If users click the "Install Software" button, the installation process of the fake antivirus program will start:

    Installation process of DesktopSecurity2010
  • Once installed, it starts carrying out a system scan in search for possible malware, and it is scanning the computer, it displays alert messages informing users that the computer is infected:

    System scan and infection message displayed by DesktopSecurity2010
  • When the scan is finished, it displays another infection message, warning users of malware in the computer:

    Alert message displayed by DesktopSecurity2010
  • If users decide to eliminate these threats and clicks the "Remove all" button, a windows is displayed informing users that they have to register the product:

    Registration of DesktopSecurity2010
  • If, on the contrary, they decide not to follow the program's instructions, different annoying messages will be displayed, in order to make users think that their computer is infected and that the fake antivirus will protect it against infections.
  • Some of the messages that are displayed on screen are like the following:

    - Deceinving messages to notify users that their computer is protected:

    Message displayed by DesktopSecurity2010

    - It also displays messages that seem to be notifications of several attacks to the system detected by Windows Security Center:

    Message that seems to be displayed by Windows Security Center

    Message that seems to be displayed by Windows Security Center
  • Additionally, when the computer is restarted, before it is fully loaded, it displays a message informing users that the computer is infected and that it is being used to send spam, and recommends them to purchase the license of the program:

    Message that is displayed when the computer is restarted
  • If this window is closed, it displays a message reminding users again that the computer has become a platform to send spam and that the Internet connection will be disconnected:

    Message informing that the computer has become a platform to send spam

Infection strategy 

DesktopSecurity2010 creates a directory called Desktop Security 2010 in the Program Files directory and a group of programs in the Start menu with the same name.

DesktopSecurity2010 creates the following files:

  • DESKTOP SECURITY 2010.EXE and SECURITYCENTER.EXE which is a copy of itself, in the folder Desktop Security 2010 of the Program Files directory.
  • GCN2TCVWTMWS.EXE, in the Windows system directory.
  • several links to different options of the program in the group of programs Desktop Security 2010 of the Start menu.
  • BACKD-EFQ.EXE, GEDX_AE09.EXE, KGN.EXE, KILSLMD.EXEX, KN.A.EXE, PERFLIB_PERFDATA_124.DAT y QWKLRVJHQLKJ.EXE, in the path C:\Documents and Settings\%username%\Local Settings\Temp.
    where %username% is the username of the user that has logged in.

 

DesktopSecurity2010 creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Desktop Security 2010= C:\Archivos de programa\Desktop Security 2010\Desktop Security 2010.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    gcn2tcvwtmws = %sysdir%\gcn2tcvwtmws.exe
    where %sysdir% is the Windows system directory.
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    SecurityCenter = C:\Program files\Desktop Security 2010\securitycenter.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    Shell = C:\Program Files\Desktop Security 2010\Desktop Security 2010.exe
    By creating these entries, DesktopSecurity2010 ensures that it is run whenever Windows is started.
  • HKEY_LOCAL_MACHINE\SOFTWARE\Desktop Security 2010
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ Desktop Security 2010

DesktopSecurity2010 modifies the following Windows Registry entries, so that the Windows Update Autoupdate Service and the Windows firewall respectively are not automatically run:

  • HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Services\wuauserv
    Start = 4
    It changes this entry to:
    HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Services\wuauserv
    Start = 2
  • HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Services\SharedAccess
    Start = 4
    It changes this entry to:
    HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Services\SharedAccess
    Start = 3

Means of transmission 

DesktopSecurity2010 can reach the computer when the user accesses certain websites which display banners or pop-up windows which lead to the download of this program. It can also reach the computer in a link that can be received via spam messages, fraudulent websites, etc.

Further Details  

DesktopSecurity2010 is 5,341,184 bytes in size.