System Security 2009 is one of the newest entrants into the family of rogue antisecurity software. Once installed it surreptiously downloads and installs a malicious backdoor trojan that runs in the background and allows remote access to the compromised system.
A rogue security software belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.
Note: Visiting some of the domains mentioned below may harm your computer system.
I came across this pest when I visited a hacked website. A dialog box popped up that warned about the presence of multitude of malware and offered a free scan. The scan insisted on running irrespective of the buttons pressed. The scan presented a deceptive Windows Explorer like interface inside the browser. The result of the fake scan predictably finds hundreds of threats to your system.
Unlike many rogue antisecurity software installer sites, you will not get infected if you visit the site directly, you need to re-directed from another infected site to experience the true purpose of this site.
The following text only view of the website gives an idea of how the fake scan is perperated:
[i5000000.gif] View system information
[i6000000.gif] Add or remove programs
[i7000000.gif] Change a settings
[i1000000.gif] My Network Places
[i2000000.gif] My Documents
[i3000000.gif] Shared Documents
[i4000000.gif] Control Panel
System scan progress
[inf20000.gif] 7 trojans
[folder.gif] Shared Documents
[inf20000.gif] 103 trojans
[folder.gif] My Documents
[inf20000.gif] 362 trojans
[hdd.gif] Local Disk (C:)
[inf20000.gif] 155 trojans
[hdd.gif] Local Disk (D:)
[dvd.gif] DVD-RAM Drive (E:)
Now scanning: none
Your Computer is Infected!
Threats and actions:
Name Risk level Date Files infected State
[qicon.gif] Email-Worm.Win32.Net Critical 11.18.2008 35 Waiting
[qicon.gif] Email-Worm.Win32.Myd Critical 11.18.2008 35 Waiting
[qicon.gif] Trojan-Downloader.Win Critical 11.18.2008 35 Waiting
This program is potentially dangerous for your system.
Trojan-Downloader stealing passwords, credit cards and other personal
information from your computer.
You need to remove this threat as soon as possible!
Full system cleanup
The site downloads ws.zip, extracts and runs an install.exe (103976 bytes) file which has a mere 15% detection rate at virustotal.com. This file drops the system security 2009 rogue on your system. Once it is securely installed, the scare messages start popping up all over. The popups appeared very frequently and stayed on top until killed. One of the fake message announced that the Firefox browser was infected with a worm called ‘Lsas.Blaster.Keyloger‘.
It proceeds to download an installer pv.exe (163,344 bytes) file identified as a trojan by 60% of the scanners at virustotal. The trojan while installing masquerades as ctf loader (a microsoft file) and as Skype file.
This scareware uses the payment processor securesoftwarepays .com through Electronicbillinghost .com.
System Security 2009 – Associated Files and Folders (Some of the file and folder names may be randomly generated)
- C:\Documents and Settings\All Users\Application Data\03395734\03395734.exe
- C:\Documents and Settings\All Users\Application Data\03395734\03395734.glu
- C:\Documents and Settings\All Users\Application Data\03395734\pc03395734cnf
- C:\Documents and Settings\All Users\Application Data\03395734\pc03395734ins
- C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\System Security\System Security 2009 Support.lnk
- C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\System Security\System Security 2009.lnk
- C:\Documents and Settings\malwarehelp.org\Desktop\System Security 2009.lnk
- C:\Documents and Settings\All Users\Application Data\03395734
- C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\System Security
System Security 2009 – Associated Registry keys and values
System Security 2009 – Associated Domains
- Onlinebrandsecurity .com
- Youronlinestability .com
- Networkstabilityscan .com
- Scanprotectiononline .com
- Internetsafetyexamine .com
- Electronicbillinghost .com
- securesoftwarepays .com
System Security 2009 – Removal (How to remove System Security 2009)
The free version of MalwareBytes’s Anti-Malware Free edition appear to remove this rogue security software.
- Dowonload and Install MalwareBytes’s Anti-Malware.
- Boot in to Windows Safe mode.
- Click to scan with your chosen software. Check mark all instances of the rogue antispyware and delete them.
- Turn System Restore off and on.
- Download, install scan and clean the temporary files with CCleaner.
You should now be clean of this rogue.
If you still see symptoms associated with this rogue anti-spyware, please post your problem at one of the Recommended Online Forums for Malware Help.
System Security 2009 – Rogue Gallery
System Security 2009 – Video
Note: The above installation was tested on a fully patched Windows XP SP3 running updated versions of Internet Explorer 8 and Firefox 3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.