Trojan:Win32/PrivacyCenter is a family of programs that claims to scan for malware and displays fake warnings of “malicious programs and viruses”. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats.
We have received reports that this trojan has been distributed via poisoned search results, where users are redirected to sites that display fake scanners. These pages mistakenly report that the user's system is infected in order to convince users to download Trojan:Win32/PrivacyCenter. We have also received reports that this trojan has been distributed masquerading as a fake video codec. The pages and files utilized in this form of attack are highly variable, and change according to the user's location, browser and operating system. Please see below for an example:
Installation
Trojan:Win32/PrivacyCenter creates many files under the following subdirectories that is creates upon execution:
It modifies the registry to run its executable at each Windows start:
Adds value: "agent.exe"
With data: "%program_files%\privacy center\agent.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
It also creates an uninstall entry for itself in the 'Uninstall or change a program' dialog. However, this (presumably deliberately) fails to function. Should a user try to uninstall the program listed as 'Privacy Center', the entry will be removed from the dialog, but the trojan will remain on the affected machine and continue to function.
Trojan:Win32/PrivacyCenter modifies the registry to replace explorer.exe under the default shell registry entry.
Adds value: "Shell"
With data: "%program_files%\privacy center\pc.exe"
To subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
This prevents Explorer and the Windows Start menu from appearing on system startup, and displays the trojan's interface instead.
Payload
Displays fake warnings
Trojan:Win32/PrivacyCenter displays fake scanning results and alerts regarding bogus malware infections and other security risks on an affected machine. Should a user attempt to 'use' Privacy Center to remove one of these bogus infections by pressing the 'Enable filter' button, they are notified that they have an out of date license, '0% Security' and several 'privacy violations'. They are then directed to a pay for licensing for a number of bogus applications. Please see below for examples of dialogs/pages displayed by Win32/PrivacyCenter:
It may also make the following registry modifications to facilitate these displays:
Modified value: "BackupWallpaper"
With data: "%systemroot%\web\wallpaper\bliss.bmp"
In subkey: HKCU\Software\Microsoft\Internet Explorer\Desktop\General
Modified value: "DeskHtmlVersion"
With data: "272"
In subkey: HKCU\Software\Microsoft\Internet Explorer\Desktop\Components
Modified value: "Source"
With data: "about:home"
In subkey: HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0
Modified value: "Type"
With data: "1"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72267F6A-A6F9-11D0-BC94-00C04FB67863}\iexplore
Analysis by Matt McCormack