SecurityAntivirus
Threat LevelDamageDistribution

Effects 

SecurityAntivirus is an adware program that carries out the following actions:

• It reaches the computer in a file with the following icon:
  
  
• Then, the interface of the program is displayed, which has the following appearance:
  
  
• Then, it starts scanning the system in search for possible malware:
  
  
• Once the scan is finished, it displays alert messages like the following, warning of malware infections:
  
  
• If users decide to eliminate these threats, they will be redirected to a website where the antivirus solution can be purchased:

On the other hand, SecurityAntivirus carries out the actions below:

• It modifies the searcher displayed when clicking the option Search in the Internet Explorer browser and changes it to another selected by the program. The option Search  is the following:
  
  
• It prevents users from accessing websites belonging to certain web search engines and even to websites from which other falke antivirus programs are downloaded.
• It adds itself to the list of authorized applications by the Windows firewall, in order to avoid being blocked.
• It prevents processes related to several antivirus programs that are active from being run.

Infection strategy 

SecurityAntivirus creates the following folders:

• Security Antivirus, in the folder Application data of the Documents and Settings directory of the user that has logged in.
• SAVSys, BackUp and Quarantine Items, in the Desktop.
• SANHDXGSXV and a folder with random alphanumeric characters, in the folder Application Data of the Documents and Settings directory of all users.

SecurityAntivirus creates the following files:

• SA%random%.EXE, %random%.MOF, MOZCRT19.DLL and SQLITE3.DLL, in the random folder created in the path C:\Documents and Settings\All Users\Application Data.
  where %random% stands for random characters.
• SECURITY ANTIVIRUS.LNK, in the Windows Quick Launch Bar. It is a shortcut to the program.

SecurityAntivirus modifies the HOSTS file, so that the user cannot access certain search websites and websites from which other fake antivirus programs can be downloaded.

SecurityAntivirus creates the following entries in the Windows Registry:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  Security Antivirus = C:\Documents and Settings\All Users\Application data\%random folder\SA%random characters%.EXE
  By creating this entry, SecurityAntivirus ensures that it is run whenever Windows is started.
• HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes
  URL = http://fi<blocked>gala.com/?&uid=7&q=%7bsearchTerms%7d
  By creating this entry, it modifies the searcher displayed in the Search option of the Internet Explorer browser, changing it to other searcher selected by the program.
• HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ SharedAccess\ Parameters\ FirewallPolicy\ StandardProfile\ AuthorizedApplications\ List
  Enabled:Windows Enterprise Defender 
  It adds itself to the list of authorized programs by the Windows firewall.
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%filename%
  Debugger = svchost.exe
  where %filename% belongs to files belonging to several security suites.
  By creating this entry, it prevents several processes belonging to antivirus programs from being run.

Means of transmission 

SecurityAntivirus can reach the computer when the user accesses certain websites which display banners or pop-up windows which lead to the download of this program. It can also reach the computer in a link that can be received via spam messages, fraudulent websites, etc.

Further Details  

SecurityAntivirus is 2,467,840 bytes in size.