Panda Security’s weekly report on viruses and intruders
August 2009 by Panda Security
This week’s PandaLabs report focuses on the Harakit.D worm and the Registry Optimizer fake antivirus.
The Harakit.D worm downloads an update of itself as soon as it is run. It then modifies the registry to run on every Windows restart and when the browser is opened. Additionally, it ensures that hidden files cannot be viewed and tries to spread to other computers.
Harakit.D uses two main propagation methods: through shared network drives and via USB devices. In the first case, not only does it spread through shared local network folders, but also through the Internet subnet used by the user. When spreading via USB devices, it copies itself to the root directory of the USB device and creates a file called autorun.inf, in order to run automatically when connected to another computer. To prevent these types of actions, Panda Security provides the new Panda USB Vaccine, a tool that vaccinates USB devices to prevent these threats.
Registry Optimizer is a new example of the increasingly notorious fake antiviruses. These threats try to fool users by displaying a false infection on the computer to encourage them into purchasing fraudulent security software. In addition to defrauding users, malware creators steal users’ bank details when they carry out the transaction.
The malicious program displays an installation screen which resembles that of a genuine program, including an end-user license agreement.
Once installed, Registry Optimizer carries out a fake system scan (see photo in Flickr: http://www.flickr.com/photos/panda_...). When the scan ends, it shows a set of fake threats it has supposedly found on the computer (see photo in Flickr: http://www.flickr.com/photos/panda_...) and offers users the possibility of registering the product by paying a fee (see photo in Flickr: http://www.flickr.com/photos/panda_...). If the program is closed, registry error warnings will continue to be displayed, and on clicking them the program will reopen. It also creates an icon in the desktop
These fraudulent applications usually spread through file-sharing networks and users usually download them unwittingly because they have a different name or they are next to content users are interested in.
They can also spread through pages that promote the program and allow users to download it, making them believe it is free or a demo, and that it will resolve their security needs.
In the case of this fraudulent program, the page even displayed the awards "obtained" to look more credible.