XP Home Security 2012

Installation

When run, XP Home Security 2012 copies itself as %LOCALAPPDATA%\<three lower case letters>.exe (for example, %LOCALAPPDATA%\qkm.exe).

It creates files that have encrypted data. Each of these files uses a different name, for example:

• %LOCALAPPDATA%\<eight hexadecimal digits>
• %APPDATA%\<eight hexadecimal digits> (for example, %APPDATA%\efcb8262)
• %USERPROFILE%\Templates\<eight hexadecimal digits>
• %windir%\Resources\<eight hexadecimal digits>
• <commonappdata>\<eight hexadecimal digits>

To automatically start every time you start Windows, the threat creates this registry entry:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "ctfmon.exe"
With data: "<system folder>\ctfmon.exe"

Note: ctfmon.exe is a legitimate file. This registry change causes the threat to run because the threat changes the way that Windows runs executable files like ctfmon.exe.

Payload

Displays a fake scanner

The threat displays a fake scanner, which shows dialog boxes, system tray balloons, and other pop-ups that claim your PC is infected. Examples of these fake scanners are:

It can also show a fake version of the Windows Security Center

If you request that the scanner remove any of the listed threats, it shows you this dialog box, which asks you to register the product for a fee:

It also shows dialog boxes and system tray pop-ups to try and convince you that your PC is infected:

Changes program settings

Win32/FakeRean might change your program settings and run the threat whenever you try to run a file ending with so that if you try to run a file ending with .exe:

In subkey: HKCU\Software\Classes\.exe
Sets value: "(Default)"
With data: "mdaw"

In subkey: HKCU\Software\Classes\mdaw
Sets value: "(Default)"
With data: "Application"
Sets value: "Content Type"
With data: "application/x-msdownload"

In subkey: HKCU\Software\Classes\mdaw\DefaultIcon
Sets value: "(Default)"
With data: "%1"

In subkey: HKCU\Software\Classes\mdaw\shell\open\command
Sets value: "(Default)"
With data: "<malware copy>" -a "%1" %* (for example: "%LOCALAPPDATA%\qkm.exe" -a "%1" %*)
Sets value: "IsolatedCommand"
With data: "%1" %*

In subkey: HKCU\Software\Classes\mdaw\shell\runas\command
Sets value: "(Default)"
With data: ""%1" %*"
Sets value: "IsolatedCommand"
With data: ""%1" %*"

In subkey: HKCU\Software\Classes\mdaw\shell\start\command
Sets value: "(Default)"
With data: ""%1" %*"
Sets value: "IsolatedCommand"
With data: ""%1" %*"

In most cases, if you try and run the .exe file, you will see a dialog box like this:

Blocks access to websites

This threat monitors web traffic on these browsers:

• Chrome
• Firefox
• Internet Explorer
• Opera
• Safari

This threat might block access to certain websites, displaying a page that looks like this:

Stops and deletes services

The malware might stop and delete the following services to try and lower your PC's security:

• winDefend (Windows Defender)
• wscsvc (Security Center)
• wuauserv (Windows Update)

Stops processes

The malware might try to stop the following processes:

• MpCmdRun.exe
• MSASCui.exe
• MsMpEng.exe
• msseces.exe
• NisSrv.exe
• wscntfy.exe

Changes security settings

This threat changes the following registry settings to try and make sure that the Windows Security Center doesn't display warnings about changes to the firewall, antivirus software or Windows Update:

In subkey: HKLM\SOFTWARE\Microsoft\Security Center
Sets value: "AntiVirusDisableNotify"
With data: "0"
Sets value: "AntiVirusOverride"
With data: "0"
Sets value: "FirewallDisableNotify"
With data: "0"
Sets value: "FirewallOverride"
With data: "0"
Sets value: "UpdatesDisableNotify"
With data: "0"

It might try to disable the Windows Firewall by changing these registry settings:

In subkey: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Sets value: "EnableFirewall"
With data: "0"
Sets value: "DoNotletExceptions"
With data: "0"
Sets value: "DisableNotifications"
With data: "1"

In subkey: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\
Sets value: "EnableFirewall"
With data: "0"
Sets value: "DoNotletExceptions"
With data: "0"
Sets value: "DisableNotifications"
With data: "1"

In subkey: HKLM\System\CurrentControlSet\Services\SharedAccess
Sets value: "Start"
With data: "4"

It might also try and remove any proxy server that your browser is set to use by changing the following registry setting:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "ProxyEnable"
With data: "0"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Deletes value: "ProxyServer"

In subkey: HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings
Sets value: "ProxyEnable"
With data: "0"

Analysis by David Wood