WinDefender 2009 is one of the recent rogue security software. A variant of the rogue IE Defender and Total Secure it deceptively looks similar to Windows Defender, a legitimate Microsoft anti-malware program.
A rogue security software belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.
Note: Visiting any of the malware hosting domains mentioned below may be injurious to the health of your computer system.
- WinDefender 2009 Domain Information and Installation
- WinDefender 2009 – Associated Files and Folders
- WinDefender 2009 – Associated Registry keys and values
- WinDefender 2009 – Associated Domains
- WinDefender 2009 – Removal (How to remove WinDefender 2009)
- WinDefender 2009 – Rogue Gallery
- WinDefender 2009 – Video
This rogueware is currently installed through windefender-2009.com registered to domainsreg.cn by the ICANN accredited registrar BIZCN.COM, INC. It appears to be hosted at the IP 126.96.36.199 located in Delaware – Wilmington – Network Engineering Technologies Research Center Llc.
The rogue installer is named WinDefender2009.exe and is about 1.71 MB in size. This file must be manually executed for the installation of the rogue anti-spyware. At this point only 25% of the antivirus engines at VirusTotal was able to identify this file as an undesirable file.
This installer file is downloaded from the IP 188.8.131.52 in Latvia. This IP is also home to the nameservers of other malware domains: gettotalsec2008.com, totalsecuredownload.com and videofreeforonline.com.
After the rogueware is sucessfully installed it contacts mothership at megauplinkbindinstaller.com, specifically with a page curiously named infected.php through the process windef.exe
Once the user is tricked into installing this scareware, the popup window like the one captured below appear periodically. When the user clicks the "OK" button, he is taken to their own 256 bit secure SSL payment page certified by Equifax Secure Inc.
- C:\Program Files\WinDefender
- C:\Program Files\WinDefender\ekrn.exe
- C:\Program Files\WinDefender\uninstall.exe
- C:\Program Files\WinDefender\windef.exe
- C:\Program Files\WinDefender\WinDefender.s1
- C:\Program Files\WinDefender\WinDefender.s2
- C:\Program Files\WinDefender\WinDefender.s3
- C:\Program Files\WinDefender\WinDefender.s4
- C:\Program Files\WinDefender\WinDefender.s5
- C:\Program Files\WinDefender\WinDefender.s6
Note: File names may be randomly generated.
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDefender 2009
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDefender 2009#UninstallString
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDefender 2009#InstallLocation
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDefender 2009#DisplayName
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDefender 2009#DisplayIcon
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDefender 2009#DisplayVersion
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDefender 2009#VersionMajor
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDefender 2009#VersionMinor
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDefender 2009#NoModify
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDefender 2009#NoRepair
I would also recommend turning off and on the System Restore to clear any infected restore points and using CCleaner to clear the temp folders and files to avoid recurrence.
If you still see symptoms associated with this rogue anti-spyware, please post your problem at one of the Recommended Online Forums for Malware Help.
Note: The above installation was tested on a fully patched Windows XP SP3 running updated versions of Internet Explorer 7 and Firefox 3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.