With data: "1" How to Protect Against Rogue Security Software like AntiMalware In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System This happens through modifications in the registry: Some variants of the rogue security software also have another functionality - to disable Windows Task Manager. These encrypted files could contain dangerous data as well as other types of malware. Win32/FakeCog is also capable of connecting to malicious websites and downloading additional files from them. It also constantly shows system tray balloons and dialog boxes "informing" the user that various dangerous threats like rootkits and Trojans have been detected on the computer, trying again to draw the attention of the victim and to convince it to upgrade the currently installed demo version of the rogue software to the complete and paid version. To make all transactions seem safe, the malware puts the logos of well-known payment companies like Mastercard and Visa to the bottom left corner of the displayed windows. Win32/FakeCog then displays false scan results and fake security alerts, pretending to be Windows Security Center and attempting to convince the user to purchase the full version of the malicious program. The malware also creates shortcuts on the desktop, again using names and logos of legitimate Windows anti-virus tools, for example, "Defense Center Support", or "Defense Center".
This last file attempts to disable and remove any legit security products found on the computer, installing at the same time the rogue program. The second component displays a dialog box that looks like it belongs to Windows Security Center and then drops a file with a double-named extension (which can look like, for example) in that same folder. That file is then injected into the corresponding Windows Explorer process, ensuring this way that the malware keeps running on the infected computer. dll file with a variable name in the same directory. It is also known that Win32/FakeCog leaves two components in the %TEMP% folder.
0 kommentar(er)
