Follow:

 

Trojan:Win32/PrivacyCenter


Trojan:Win32/PrivacyCenter is a family of programs that claims to scan for malware and displays fake warnings of “malicious programs and viruses”. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats.
 
Special Note:
Reports of Rogue Antivirus programs have been more prevalent as of late.  These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software.  Some of these programs may display product names or logos in an apparently unlawful attempt to impersonate Microsoft products. 
 
Use Microsoft Windows Defender, the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742), or another up-to-date scanning and removal tool to detect and remove these threats and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.


What to do now

 
Use Microsoft Windows Defender, Microsoft Security Essentials, the Microsoft Safety Scanner, or another up-to-date scanning and removal tool to detect and remove this threat and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.
 
For information on additional support options worldwide, see http://www.microsoft.com/protect/support/default.mspx.

Threat behavior

Trojan:Win32/PrivacyCenter is a family of programs that claims to scan for malware and displays fake warnings of “malicious programs and viruses”. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats.
 
We have received reports that this trojan has been distributed via poisoned search results, where users are redirected to sites that display fake scanners. These pages mistakenly report that the user's system is infected in order to convince users to download Trojan:Win32/PrivacyCenter. We have also received reports that this trojan has been distributed masquerading as a fake video codec. The pages and files utilized in this form of attack are highly variable, and change according to the user's location, browser and operating system. Please see below for an example:
Installation
Trojan:Win32/PrivacyCenter creates many files under the following subdirectories that is creates upon execution:
  • %program_files%\privacy center
  • %application data%\privacy center
It modifies the registry to run its executable at each Windows start:
Adds value: "agent.exe"
With data: "%program_files%\privacy center\agent.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
 
It also creates an uninstall entry for itself in the 'Uninstall or change a program' dialog. However, this (presumably deliberately) fails to function. Should a user try to uninstall the program listed as 'Privacy Center', the entry will be removed from the dialog, but the trojan will remain on the affected machine and continue to function.
 
Trojan:Win32/PrivacyCenter modifies the registry to replace explorer.exe under the default shell registry entry.
Adds value: "Shell"
With data: "%program_files%\privacy center\pc.exe"
To subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 
This prevents Explorer and the Windows Start menu from appearing on system startup, and displays the trojan's interface instead.
Payload
Displays fake warnings
Trojan:Win32/PrivacyCenter displays fake scanning results and alerts regarding bogus malware infections and other security risks on an affected machine. Should a user attempt to 'use' Privacy Center to remove one of these bogus infections by pressing the 'Enable filter' button, they are notified that they have an out of date license, '0% Security' and several 'privacy violations'. They are then directed to a pay for licensing for a number of bogus applications. Please see below for examples of dialogs/pages displayed by Win32/PrivacyCenter:
 
 
 
 
It may also make the following registry modifications to facilitate these displays:
 
Modified value: "BackupWallpaper"
With data: "%systemroot%\web\wallpaper\bliss.bmp"
In subkey: HKCU\Software\Microsoft\Internet Explorer\Desktop\General
 
Modified value: "DeskHtmlVersion"
With data: "272"
In subkey: HKCU\Software\Microsoft\Internet Explorer\Desktop\Components
 
Modified value: "Source"
With data: "about:home"
In subkey: HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0
 
Modified value: "Type"
With data: "1"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72267F6A-A6F9-11D0-BC94-00C04FB67863}\iexplore
 
Analysis by Matt McCormack

Symptoms

System Changes
Symptoms vary among different distributions of Trojan:Win32/PrivacyCenter, however, the presence of the following system changes (or similar) may indicate the presence of this program:
  • Presence of the following directories, or similar (for example):
    %program_files%\privacy center
    %application data%\privacy center
  • Presence of the following registry modifications or similar (for example):
    Added value: "agent.exe"
    With data: "%program_files%\privacy center\agent.exe"
  • To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Added value: "Shell"
    With data: "%program_files%\privacy center\pc.exe"
    To subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • Display of the following images/dialogs, or similar (for example):

Prevention


Alert level: Severe
This entry was first published on: May 12, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Fake_AntiSpyware.BKN (AVG)
  • Win32/FakeAV.ACR (CA)
  • Win32/Adware.PrivacyComponents (ESET)
  • not-a-virus:FraudTool.Win32.PrivacyCenter (other)
  • not-a-virus:FraudTool.Win32.Agent.jn (Kaspersky)
  • FakeAlert-CP (McAfee)
  • Troj/PrvCnt-Gen (Sophos)
  • SpywareGuard2008 (Symantec)
  • Control Center (other)
  • Privacy Center (other)