Rogue.SecurityTool workaround

Norton Security | Norton Internet Security
1
A new version I download and installed on my PC

1. This variant, Got Past Norton
2. Removes your wallpaper 
3. Does a fake scan stating you have many infections

BUT

If you DO NOT restart the PC you can bring up the Task Manager and stop the process that is running.

If the PC has been restarted or for some reason the above is not the case has still though gone further without the restart

1. You will not have desktop icons
2. Task Manager etc.
3. You can not even start non security programs like MS paint.

An easy way to disable it. 

1. Use the Start Menu and open "My Computer"
2. Open the "Tools" menu and choose "Folder Options", Click on the View tab and make sure the "show hidden files and files" is checked and click "Apply" and "OK"
3. Go into the Hard Drive (C:\) and make your way The folder located,

"C:\Documents and Settings\All Users\Application Data\92060926\92060926.exe"  In XP, Vista has a different path, The numbers for the file name may be different

4. Right Click The "Security Tool" file,  It will make a bit of a lag before the right click Menu appears, 
5. Select “properties”
6. Make sure the “read only” attribute is un-selected. then click "apply" and "OK" (this one didn't have the read-only property selected)
7. Now on the Right click Menu again select "Rename"  Rename the file to like "bad.exe"
 
quads.jpg
 
 
8. Once renamed Restart the PC.
9. Now after the Restart "Security Tool" doesn't load as the Registry Entry can no longer find its target, and neither can the Desktop Shortcut

You will see that all the desktop icons have re-appeared and you now have the likes of MS Paint and Task Manager.

10. Now youy can manually delete the "bad.exe" Or just install Malwarebytes, Update it's definitions and run a "Full Scan"
11. Once clean, Open your display properties and reset your wallpaper back to the way it was.
 
 Quads
 
<< edit: image resized for fit>>
Message Edited by JerryM on 11-24-2009 08:17 PM
2

Thank you Quads for the information.

3

Quads, that is a brilliant procedure for preventing the file from loading.  It’s quite elegant, and sneaky. :smileywink:

4

Please , submit to Symantec Secuirty Response!

5
3GUSER wrote:
Please , submit to Symantec Secuirty Response!
Hahahahaha
 
Quads 

 

6

What’s soooooo funny ?

7

I submitted several variants of that malware installer to Symantec Security Response here.

 

This is the only response I have received so far:

 

We have analyzed your submission.  The following is a report of our findings foreach file you have submitted:

 

filename: install.exe

machine: Machine

result: See the developer notes

 

Customer notes:

from. antyspywaressite.com/index.phpaffid92300.This site needs to be taken down.

 

 

Developer notes:

 install.exe Ourautomation was unable to identify any malicious content in this submission.

 The file will bestored for further human analysis

 

 Meanwhile, the domains which serve this malware are still unblocked and live, and neither AutoProtect nor SONAR  detect this (yet). Therefore, Quads is the only defense you have now.

 

That's why that was funny. 

 

[edit: Deactivated malicious link.]

Message Edited by shannons on 11-25-2009 12:39 PM
8

Why Sooo Funny?? 

 

Because of being told to to submit it to Security Response

 

Quads 

9

The link in your post is still active and not obfuscated.

10

Moderator notified about link in TomiRed’s post :slight_smile:

11

Thanks I almost clicked on it but when I rolled over it I saw “http” out of the corner of my eye in the status bar.

12

Good catch! :slight_smile:

13

Hi

 

Link now shows hxxp.

14

Hi floplot, if you hover your mouse cursor over the URL (don’t click!!!), then look at the URL at the bottom of your browser - it says http.

Message Edited by Yaso_Kuuhl on 11-25-2009 09:23 PM

15

Hi yaso

 

Now I see what you mean. I would never have clicked that. That was a good catch. I don't think I notice links down there too often. I'll have to remember to look down there also.

16

At least if you clicked on the link, you’re on the thread that tells you how to get rid of it.

17
Yaso_Kuuhl wrote:
Hi floplot, if you hover your mouse cursor over the URL (don't click!!!), then look at the URL at the bottom of your browser - it says http.
Message Edited by Yaso_Kuuhl on 11-25-2009 09:23 PM

Even worse, blanking the http does not invalidate a link.  All that is needed for an effective link is abc.com or something like that. Browers now default to include missing http or www.

18

Well just don't click on the darn thing... I copied it from the e-mail but it linkified itself.

 

I reported this site almost a week ago, reported it as a phishing site, queued it on SafeWeb, submitted at least two variants of the file it serves, and listed it as the source - and still nothing - Norton ignores it completely.

 

The file will not self install, so even if you click, and it downloads, just don't run it.

Message Edited by TomiRed on 11-25-2009 09:50 PM
19

Moderator shannons has “emptied” the link :smiley: Thanks, shannons :wink:

Message Edited by Yaso_Kuuhl on 11-25-2009 09:48 PM

20

We’re not saying it’s your fault. We’re doing this for the select few who might happen to pass by and click on every link they see. :slight_smile: