Wednesday, July 20, 2011

Security Tool Rouge ware...

Some recent versions of the Security Tool scare-ware now

includes a ransom ware component that confounds the victims by blocking the desktop with a full screen scare message. It asks for a serial number that will supposedly be provided on purchasing Security Tool, to unlock the computer.

The exact message:


For Security of your data computer is locked…To unlock your computer buy the antispyware software below and remove all viruses as soon as possible. In case trojans are not removed fro your computer in 3 hours, all data in the computer will deleted. Enter the serial number you are given after buying the antispyware below and

unlock your computer and clean the spywares.

Entering any serial with more than 12 characters removes the alert. Thanks to S!Ri.URZ for the tip.

Security Tool Ransomware

A rogue security software such as Security Tool belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.

The ransom-ware component was named myserv.exe and found in the Windows directory. It was about 32 KB in size and detected by 26/42 (61.91%) of the antivirus engines available at VirusTotal. myserv.exe was observed making connections to webpaybill .net.

This malware is classified as:


§ Trojan.ATRAPS.Gen

§ Win32/LockScreen.EG

§ Adware.SecurityTool.R.32768

§ Trojan.Win32.VB.acwq

This ransom-ware starts with Windows by adding itself to the Run registry key:

§ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeyMy C:\WINDOWS\myserv.Exe

Security Tool Ransom-ware component Removal

§ Enter any serial number with more than 12 characters. For example: 1234567891011 and then click “UNLOCK” to remove the fake alert.


§ Download, Install and run MalwareBytes’s Anti-Malware. Go to the Update tab and check for updates. Once the update is completed, open the Scanner tab and choose a full-scan. Once the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.


§ Download, Install, scan and clean the temporary files with CCleaner Slim version.

*By Source :

No comments: