Manually Defeating Win 7 2012 “Scareware”
Posted by William Diaz on January 17, 2012
Leave it to the kids to finally infect my Windows 7 home system. This wasn’t a big deal; this system has since been hijacked by them to serve their Internet gaming addiction, and I had since moved my workload to my laptop. Anyway, I look forward to getting the occasional malware infection, it gives me a chance to explorer different methods for removing them. In this case, I was hit by what is known as Win 7 Security 2012. This may also go by the name of XP Home Security 2012, Vista Security 2012, or Windows XP Internet Security 2012 (and then some). It is part of the Braviax suite, a (somewhat non-malicious) form of “scareware” that attempts to convince you that your system has several malware infections. At the time it hit me, there was no definition for it so it creped past the Microsoft Security Essentials.
Here are some screenshots of some of the windows it presents the infected user with (click to enlarge):
I ran into an earlier form of this in its XP flavor and wrote about here. Defeating it was rather easy because the variant I encountered allowed the launching of the Windows Task Manager and regedit, which was all I really needed to remove it. The 2012 variant I encountered in this case, though, is a bit more robust, since in addition to piping all executables through a randomly named exe via the registry, it also kills any processes you attempt to start. It does, however, allow your browser of choice to run since this is how you will need to purchase your copy of the Fake Anti-Virus, which is just a registration code you input so that it doesn’t kill the processes you run afterwards.
Like its 2011 predecessor, it does three things:
Run as a randomly named three-letter executable (srz.exe in this example). This variant has a description of Microsoft Hyperlink Library (a new random exe will be created from the original if it is run again)
Create a new registry key in HKCU\Software\Classes named a .exe that points to the next key created
Create a new randomly named key (tvfj in the image below) that contains the command string to run the random exe file from step 1. This random key departs from the one I originally encountered where the new key was always named exefile.
You can see this by running the scareware exe file and tracing with Process Monitor, focusing on the key creation and the values:
Knowing this, there are a couple ways to defeat it.
If the affected system resides in a network environment, the quickest method is to:
Navigate to the network registry of the affected system from another system and delete the .exe key in HKU\SID\ as well as the key it points to.
Log off of the affected system to stop the executable and logon again* or remotely kill it with a tool like PSKill.
After logging on again or after killing the executable, delete it.
The executable is normally found in C:\Users\username\AppData\Local on a Windows Vista\7 system and C:\Documents and Settings\username\Application Data on a Windows XP system.
Open notepad, copy and paste the text below, save as a .reg file and save to the affected system remotely or via USB:
Windows Registry Editor Version 5.00
Run the reg file to remove the registry entry.
This scareware does not block access to Windows Explorer, so you should be able to run the file and import the change to the registry. Note: the scareware executable will attempt to intercept the import and kill it before you can click Yes to the Registry Editor prompt. There is a tiny window (under a second) before this prompt is killed by the scareware executable but you should be able to hit Enter to confirm the import before it is forcibly closed.
If the affected system is not on a network, you may not have access to the network registry but you can still import the reg file created above if you have access to another system to create it. Otherwise, here is a neat little trick that you can use to defeat this as well as many other forms of scareware or malware. I used this method in my case, but it only works provided the affected system has the ability to logon with another account that has administrative access and that has not been affected:
Logon with an admin account. This will not close any of the programs in the affected Windows session.
Open the Windows Registry and navigate to HKU\SID_Classes; this is registry profile of the affected user account and you will see more than 1 if there are multiple user accounts**.
From Windows Explorer, navigate to the affected user profile and delete the suspect .exe file. It may be marked as System and Hidden, so make sure to reveal all system and hidden files in Windows Explorer.
As a last resort, you can remove the disk and load the UsrClass.dat of the affected profile into the registry of another system via Load Hive, edit it to remove the .exe key, offload it, and put it back in the PC. You can find UsrClas.dat for XP in C:\Documents and Settings\username\Local Settings\Application Data\Microsoft\Windows or in C:\Users\username\AppData\Local\Microsoft\Windows for Vista/Win 7.
Finally, some additional files are created in several locations as randomly named alphanumeric files. The purpose of these are unknown but they can be safely deleted. They either contain no file extension or a .tmp file extension. For Vista\Windows 7, you can find them in:
For Windows XP:
C:\Documents and Settings\username\Application Data
C:\Documents and Settings\username\Local Settings\Application Data\
C:\Documents and Settings\username\Local Settings\Application Data\Temp
C:\Document and Settings\All Users\Application Data\
C:\Documents and Settings\username\Templates\
A repair or re-install of your AV solution may be necessary if you cannot find its icon in the system tray or missing program entries for it.
*Unlike most malware/scareware, Security 2012 does not make itself active by putting itself in any of the various startup locations in Windows, e.g. HKCU\Software\Microsoft\Windows\CurrentVersion\Run. It pipes all exes’ through a registry value created in HKCU\Software\Classes to start itself. Removing this registry key ensures that it will not start after a subsequent logon and allows one to start processes normally in the affected user account so the rest of it can be removed.
** To figure out which SID is linked to which account, navigate to the remote registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList, select each SID and look at the ProfileImagePath key for the user account name.