www.winhelp.us

Malicious e-mails titled "Tracking Detail" are spreading fake anti-virus program named Security Defender.

This example mail came from v3005.zaah.net (gw0.zaah.net [208.122.55.1]), had a fake sender "Express Mail Service" <[email protected]> and was titled "Tracking Detail (U)EWT10 275 275 9353 9353".
The contents were as follows:

Fed Ex

Order: SGH-6372-66501641
Order Date: Thursday, 17 January 2013, 11:10 AM
Dear Customer,

Your parcel has arrived at the post office at January 20.Our courier was unable to deliver the parcel to you.

To receive your parcel, please, go to the nearest office and show this receipt.

GET & PRINT RECEIPT

Best Regards, The FedEx Team.

FedEx 1995-2012

Here's a screenshot:

The Get & Print Receipt button actually linked to YRZXKBOWJK.php?receipt=801_389668808 at lastro.de and started downloading a file named PostalReceipt.zip. The contents were as expected - PostalReceipt.exe program that has Microsoft Word icon to fool those who still have not enabled the displaying of known file extensions in Microsoft Windows. Detection rate of the particular file is still very low among anti-virus vendors, but even free AV products are able to block Security Defender from installing.

Launching the file will download and install rogue anti-virus program named Security Defender. In Windows XP, files will be saved to All Users\Application Data\pcdfata subfolder in Documents and Settings folder. In Windows Vista and newer, the pcfdata subfolder appears in ProgramData folder instead. The files added are app.ico, defs.bin, support.ico, uninst.ico, vl.bin and the main executable with some random name, such as utuwnwqe.exe or baodratw.exe.
Additional copies of the downloader (also named randomly, such as ngupgupp.exe or raciecjr.exe) may be stored in Local Settings\Application Data (in Windows XP) or AppData\Local (in Windows Vista and newer) subfolder of current user profile. Another randomly named file without extension (size 46 kilobytes) is then created in the same location. One or both of these is/are used to prevent from downloading Security Defender twice.

The original PostalReceipt.exe file will be then deleted and to fool users even more, PostalReceipt.txt file will open in Notepad.

About rogue anti-virus program Security Defender

The scareware program Security Defender puts itself in Notification Area of Taskbar (aka System Tray) and starts blocking the launch of executable files that have .exe extension. This means that most anti-virus and anti-malware programs are unable to start. It will also close Task Manager if it is open.

As usual, many fake warnings will appear next, such as "Unknown program is scanning your system registry right now! Identify the theft detected!", "Vulnerabilites found. Serious problems have been detected." and so on. All these are trying to drive victims into buying the rogue program.
 

Here's how Security Defender's main window and activation dialog look like:
 

Paying for Security Defender is certainly not an option. Read on to find out how to remove it.

How to remove Security Defender with Malwarebytes Anti-Malware Chameleon

The following instructions presume that Malwarebytes Anti-Malware is already installed.

Because launching of programs with .exe extension is blocked by Security Defender, navigate to the folder where MBAM is installed - for example, C:\Program Files\Malwarebytes' Anti-Malware and open the Chameleon subfolder. This folder contains disguised versions of MBAM emergency tools. Launch firefox.com (no, this is not Mozilla Firefox really) and press a key when prompted. MBAM will then update its definitions, kill Security Defender task and run a quick scan. This will take up to half an hour.

After the scan is complete, click Show Results and then click Remove Selected. If prompted, reboot your computer.

Return to Blog entries