Effects
SecurityMasterAV is an adware program that carries out the following actions:
- It reaches the computer in a file with any of the following icons:
- If users run any of these icons, an installation screen is displayed:
- Once installed in the computer, it diplays alert messages indicating that the computer is infected and that the problem can be solved with the program Security Master AV:
- If users follow the recommendations of this message, the interface of the program, which has the following appearance, will be displayed:
- This screen indicates users that the computer is unprotected, as no antivirus is activated. In order to do so, it entices users to carry out a system scan.
- If users accepts this, the program starts scanning the computer and, once finished, deceiving results are displayed, as it will detect malware that is not really found in the computer:
- Then, it displays a fake infection alert like the following:
- If users decide to remove these threats and to follow the recommendations of the program, an activation key will be required:
- Curiously, this key can be obtained in the box of the product, so as users will not have it, they will be redirected to the website where the product can be purchased:
On the other hand, SecurityMasterAV carries out the actions below:
- It prevents users from accessing websites belonging to certain web search engines and even to websites from which other falke antivirus programs are downloaded.
- It prevents processes related to certain security programs, like antivirus solutions or firewalls that are active from being run, leaving the computer unprotected. Additionally, it also prevents processes belonging to fake antivirus programs from being run.
Infection strategy
SecurityMasterAV creates the following folders:
- SECURITY MASTER AV, in the folder Application data of the Documents and Settings directory of the user that has logged in.
- several folders with random alphanumeric characters, in the folder Application Data of the Documents and Settings directory of all users.
SecurityMasterAV creates a shortcut to the program called SECURITY MASTER AV.LNK in the following directories:
- in the Windows Quick Launch Bar.
- in the Desktop:
- in the paths C:\Documents and Settings\%username%\Start Menu and C:\Documents and Settings\%username%\Start Menu\Programs.
where %username% is the username of the user that has logged in.
SecurityMasterAV modifies the HOSTS file, so that the user cannot access certain search websites and websites from which other fake antivirus programs can be downloaded.
SecurityMasterAV creates the following entry in the Windows Registry:
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\3F2BBC05-40DF-11D2-9455-00104BC936FF
It also creates many entries in the Windows Registry like the following:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%filename%
Debugger = svchost.exe
where %filename% belongs to files belonging to several security suites.
By creating these entries, it prevents several processes from being run which belong to antivirus suites, firewalls and even to other fake antivirus programs.
The following are some examples:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe
Debugger = svchost.exe - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP.exe
Debugger = svchost.exe
Additionally, SecurityMasterAV attempts to remove entries from the Windows Registry belonging to several legitimate antivirus programs. If so, the computer would be unprotected and the only antivirus program in execution would be this fake antivirus.
Means of transmission
SecurityMasterAV can reach the computer when the user accesses certain websites which display banners or pop-up windows which lead to the download of this program. It can also reach the computer in a link that can be received via spam messages, fraudulent websites, etc.
Further Details
SecurityMasterAV is 189,440 bytes in size.