XP SecurityCenter is rogue antimalware application installed through dubious means like a link in a spam mail or through a link in a hacked website. It’s look-alike of the legitimate Windows Security Center and it does what other rogue antimalware apps do that is to scare the unfortunate victim by throwing various pop-up messages about the state of the health of their PC.
In this instance the installer was dropped by a trojan downloader which was downloaded when I clicked on a link found in a celebrity malicious spam (include link) mail. The installer is about 340KB named Install.exe, well recognized over at VirusTotal with about 78% detection rate.
When the installer is executed it connects to 22.214.171.124 which hosts many rogue antimalware domains like winantimalware.com, winantispyware2008.com, winreanimator.com, xpcleaner2008.com, xpdefender2008.com, xpguard2008.com and xpsecuritycenter.com to download the remaining part of the application. The successful installation is phoned home to a member’s account at softcashier.net.
softcashier.net is hosted at IP 126.96.36.199 which also hosts softcashier.com. The registrar of softcashier.net is DIRECTI INTERNET SOLUTIONS PVT. LTD, the domain was created on 2008-09-03 by the registrant Hawkwing Professional Services Limited based in Belize, a country in Central America.
Softcashier.net lists an interesting offer on its home page.
Once installed the scare tactics start and the need to register XP SecurityCenter is stressed many times. When the victim clicks the Register now button the fake app opens the default browser and connects to the buy page at xpsecuritycenter.com which espouses the benefits of XP SecurityCenter. The page also uses fradulent logos purported to be awards from various well known computer magazines/websites.
I clicked on the BUY ONLINE button, I was directed to their payment processor secure.chronopay.com, 128 bit SSL secured certificate issued by Verisign. Here ends my experience with Fake XP SecurityCenter. Now is the time to clean up.
Files and Folders Infected
C:\Documents and Settings\All Users\Start Menu\Programs\XPSecurityCenter\Uninstall.lnk
C:\Documents and Settings\All Users\Desktop\XPSecurityCenter.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\XPSecurityCenter\XPSecurityCenter.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\XPSecurityCenter
Registry changes detected
XP SecurityCenter Removal
It was very easy to remove this infection with Malwarebytes’ Anti-Malware. Please download the free version of Malwarebytes’ Anti-Malware, update and run a quick scan to get rid of this infection.
More Screenshots of Fake XP SecurityCenter