SecurityTool isn’t a security tool

Do you see application with an icon like this on your computer?

If yes, it means that your computer maybe infected by SecurityTool! This is the icon that is often used by the rogue application named SecurityTool. This rogue application was never dead. Since the year 2009 until today, SecurityTool still continue to attack computer users. SecurityTool is one of the rogue applications with the highest rate of infection.

This rogue application spread using social engineering techniques by displaying a fake scanner page or fake video codec installation that are prevalent in questionable wares or adult content related websites . Examples of prompts related to SecurityTool are below

If clicked you will be presented a fake scanner page:

You are prompted to download an antivirus / antimalware which is actually SecurityTool, a rogue application. SecurityTool will display fake scan results, as if the computer is infected by a virus. Meanwhile, to clean it up, users are required to register first.

We tried to analyze one of its variant, the size is 954,368 bytes. Packer detector like PEiD provides no information about it. But, the file is likely compressed/encrypted because we cannot see a lot of strings and we cannot see any repeatable byte patterns at the time of opening it with a hex editor. We tried to dig deeper using a debugger. Interestingly, we found two decryptor routine used by this malware to protect the string in it. The first is:

This routine uses XOR, and “e1uCt.” as the key.

And the other one only uses a Caesar cipher techniques and ADD instruction with 5.

After decryption of a part of the malware code we find :

This looks like an error message. SecurityTool will display a fake blue screen on the victim’s computer:

If we investigate it further, this is not like the original blue screen. And also, there are peculiarities in the blue screen message.

In this is the first time you’ve seen this…”,

“…software manufacturer for nay windows updates you might need”,

Furthermore,

When the SecurityTool is active, practically you will not be able to run any application, except: iexplorer.exe, firefox.exe, wscntfy.exe, shutdown.exe, avcheck.exe, wuauclt.exe, and soft_cleaner.exe. To handle this, simply rename the application you want to run using one of these names.

As we know, the rogue application tries to cheat by an attempt to convince user that the computer has been infected with the virus. For that, you are required to pay $79.95 for lifetime software license.

If we dig deep, we can find the key for free!

SecurityTool will read the value in HKEY_LOCAL_MACHINE\SOFTWARE\% RandomNumber%\ Key, if the key value contains “147fa778bdca5a026f889ccda659f5b8”, then you’re now registered.

And after the program has successfully been registered, now there is no more fake scan result, “Scanning is finished. No viruses found. ”

Thanks to Arief, our Lab analyst for this research and analysis. As always you can use Emsisoft Anti-Malware to completely detect and clean the rogue product. If you do find any undetected sample or any problem , do submit file from our product and we will make sure to bring fast solution.