Effects
MySecurityEngine is an adware program that carries out the following actions:
- When it is run, MySecurityEngine connects to the URL and the installation process of the fake antivirus starts:
- Then, it starts scanning the system in search for possible malware.
- Once finished, it notifies users that their computer is infected:
- Once the scan is finished, it displays alert messages like the following, warning of malware infections:
- If users decide to eliminate these threats, they will be redirected to a website where the antivirus solution can be purchased:
- If users do not follow the recommendations of the program, it displays warning messages reminding them that their computer is infected:
- Additionally, it adds the icon belonging to the fake antivirus to the Notification area:
On the other hand, MySecurityEngine carries out the actions below:
- It modifies the searcher displayed when clicking the option Search in the Internet Explorer browser and changes it to another selected by the program. The option Search is the following:
- It prevents users from accessing websites belonging to certain web search engines and even to websites from which other falke antivirus programs are downloaded.
- It prevents processes from being run, which are related to several antivirus programs, firewalls and applications of the system like the Task manager. Additionally, it prevents processes belonging to fake antivirus programs from being run.
Infection strategy
MySecurityEngine creates the following folders:
- a folder with a random name. In this folder it creates other folders with the following names:
- MSESys
- Quarantine Items - MSAOE, in the folder Application data of the Documents and Settings directory of all users.
- My Security Engine, in the folder Application data of the Documents and Settings directory of the user that has logged in.
- a group of programs called My Security Engine in the Start menu with several links to the program.
MySecurityEngine creates the following files:
- MS%random%.EXE, %random%.MOF and MSE.ICO, in the random folder created in the path C:\Documents and Settings\All Users\Application Data.
where %random% stands for random characters. - VD952342.BD, in the folder MSESys located in the folder with a random name created in the path C:\Documents and Settings\All Users\Application Data.
- MSBBEGDJE.CFG, in the folder MSAOE created in the path C:\Documents and Settings\All Users\Application Data.
- MY SECURITY ENGINE.LNK, in the Desktop, in the Start menu and in the Windows Quick Launch Bar. It is a shortcut to the program.
MySecurityEngine modifies the HOSTS file, so that the user cannot access certain search websites and websites from which other fake antivirus programs can be downloaded.
MySecurityEngine creates the following entries in the Windows Registry:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
My Security Engine = C:\Documents and Settings\All Users\Application data\%random folder\MS%random characters%.exe /s /d
By creating this entry, MySecurityEngine ensures that it is run whenever Windows is started. - HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes
URL = http://fi<blocked>gala.com/?&uid=7&q={searchTerms}
By creating this entry, it modifies the searcher displayed in the Search option of the Internet Explorer browser, changing it to other searcher selected by the program.
Additionally, it creates many entries in the Windows Registry like the following:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%filename%
Debugger = svchost.exe
where %filename% belongs to files belonging to several security suites.
By creating these entries, it prevents several processes from being run which belong to antivirus suites, firewalls, applications like the Task manager and even to other fake antivirus programs.
The following are some examples:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PerAvir.exe
Debugger =svchost.exe - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pav.exe
Debugger =svchost.exe - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.exe
Debugger =svchost.exe - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe
Debugger =svchost.exe
These files belong to several antivirus suites. - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonealarm.exe
Debugger =svchost.exe - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpost.exe
Debugger =svchost.exe
These files belong to different firewalls. - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
Debugger =svchost.exe
This file belongs to the Task manager. - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\securitysoldier.exe
Debugger =svchost.exe - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PC_Antispyware2010.exe
Debugger =svchost.exe
These files belong to fake antivirus programs.
Means of transmission
MySecurityEngine can reach the computer when the user accesses certain websites which display banners or pop-up windows which lead to the download of this program. It can also reach the computer in spam messages that contain attached files or links that point to the download of this program.
Additionally, we have detected several BlackHat SEO attacks (see Note below) in order to distribute this fake antivirus using topics like the successful series Lost, the death of Ronnie James Dio and the elections in UK, among others.
Note:
SEO stands for Search Engine Optimization. Basically, it refers to techniques used to improve the positioning of web pages in search engines (Yahoo, Google, etc.). BlackHat SEO refers specifically to the use of SEO techniques by cyber-criminals to promote their web pages.
Further Details
MySecurityEngine is 393,728 bytes in size.