Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Security Tool gets nastier

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg |

Some recent versions of the Security Tool scareware now includes a ransom ware component that confounds the victims by blocking the desktop with a full screen scare message. It asks for a serial number that will supposedly be provided on purchasing Security Tool, to unlock the computer.

The exact message:


For Security of your data computer is locked…To unlock your computer buy the antispyware software below and remove all viruses as soon as possible. In case trojans are not removed fro your computer in 3 hours, all data in the computer will deleted. Enter the serial number you are given after buying the antispyware below and unlock your computer and clean the spywares.

Entering any serial with more than 12 characters removes the alert. Thanks to S!Ri.URZ for the tip.

Security Tool Ransomware

A rogue security software such as Security Tool belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.

The ransom-ware component was named myserv.exe and found in the Windows directory. It was about 32 KB in size and detected by 26/42 (61.91%) of the antivirus engines available at VirusTotal. myserv.exe was observed making connections to webpaybill .net.

This malware is classified as:

  • Win32.TRATRAPS
  • Trojan.ATRAPS.Gen
  • Win32/LockScreen.EG
  • Adware.SecurityTool.R.32768
  • Trojan.Win32.VB.acwq

This ransom-ware starts with Windows by adding itself to the Run registry key:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeyMy C:\WINDOWS\myserv.Exe

Security Tool Ransom-ware component Removal

  • Enter any serial number with more than 12 characters. For example: 1234567891011 and then click “UNLOCK” to remove the fake alert.
  • Download, Install and run MalwareBytes’s Anti-Malware. Go to the Update tab and check for updates. Once the update is completed, open the Scanner tab and choose a full-scan. Once the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
  • Download, Install, scan and clean the temporary files with CCleaner Slim version.

Security Tool Ransom ware Video

Note: Security Tool Ransom-ware component installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: