AV Security Suite

From Wikipedia, the free encyclopedia
Jump to: navigation, search

AV Security Suite is a piece of scareware and malware, or more specifically a piece of rogue security software, which poses as a pre-installed virus scanner on a victim's computer system. It is currently known to affect only Microsoft Windows systems, though may simply operate under a different name on other platforms to better fit in with their user-interfaces, as its disguise is a key component of its success. In the task manager it appears as a string a random characters that end with "tssd.exe" – an example is yvyvsggtssd.exe. It also can show a random string of characters that end with "shdw.exe".

Methods[edit]

After being installed on a target system, AV Security Suite sends out simulated virus alerts using pop-up windows that open from the rightmost section of the task bar. These notifications appear the same as those used by Windows itself, so can look genuine to a user not familiar with Windows' own style of reporting viruses (Windows Defender). AV Security Suite will show results of a fictitious virus scan,[1] this time using its own name, informing the user that their system is infected by viruses. Using a variety of different messages, some imitating Windows and some under the software's real name, it instructs the user to upgrade to the full version of AV Security Suite to remove the viruses. It then fakes the presence of unspecific viruses by performing actions such as preventing the opening of any programs (including Windows Task Manager)[2] and blocking internet connections. In essence, it renders a system almost useless. Since it is disguised as an anti-virus program, it is not considered to be a virus to any accessible anti-virus or anti-spyware programs.

Infection[edit]

AV Security Suite can infect computers using Adobe flash or other Adobe components found in regular websites, and so does not require voluntary download of software by the user. It has also been known to attack using Java software. There are currently no effective tools available to remove it, though some that claim to be able to do so are questionable in authenticity. Very few virus scanners are capable of detecting and removing the program. Norton and AVG Free Edition have been reported not to detect it. The paid edition of Malwarebytes' Anti-Malware has detected and removed it while the system is in safe mode, however a few months later the messages and program had come up again. While an operating system is infected, the malware will notify the user of infected system files and change the proxy server settings of the user's web browser so that the user will be under the false perception of no longer having Internet access. In addition, two websites that were not manufactured by the company will spontaneously pop up on the user's computer. One of these websites is for the erectile dysfunction drug Viagra, and the other is a pornographic website. Users are advised to dispose of the AV Security Suite virus immediately after their computer becomes infected, as the virus is possibly dangerous for younger users.

Removal[edit]

As the program will stop nearly all processes including shutting your computer down, the simplest removal method is to rebuild your computer from scratch using a previously made backup. The previously recommended method of restarting your computer in SAFE MODE rarely works with the more recent versions of this malware. Attempts to boot into SAFE MODE in newer versions usually result in a blue screen of death. If the user can get into SAFE MODE, they must search through the hidden system files (usually hidden to protect the user from accidentally deleting vital information from the system) and look for the malware manually. It will be disguised under an incoherent-looking string of letters and will not always include tssd.exe at the end.

Another alternative to these methods is to open the task manager immediately after booting the computer system and killing the process ending with "tssd.exe" or "shdw.exe" as soon as it appears under the list. After, one should restart their computer in safe mode and run a virus scanner, which will most likely detect the virus.

Alternatively, computers using multiple boots with a non-Windows operating system, such as most Linux distributions, can also access these files outside of Windows to delete them. Using a linux Live CD such as Ubuntu or Fedora is notably the most successful of these methods, as it can be booted from a CD drive instead of the hard drive.

As recently as October 2013, this virus could be successfully removed by taking a series of steps that while somewhat tedious to perform, did in fact work. The two primary keys to removal are 1) preventing the virus from communicating w/ the outside world by isolating its execution scope to only the infected PC and 2) preventing the virus from starting-up upon PC boot. A Windows 7 infected PC was completely freed/cleared of this virus by taking the following steps:

1. Force a hard shutdown of your infected PC by pressing on the power button for about 5 seconds or worst case, unplugging the power.

2. Prevent the PC from internet access by unplugging any internet cables and/or turning off wireless/WI-FI ability.

3. Start-up the PC - Windows 7 should recognize the previous hard shutdown and ask what you want to do. Select 'Start in Safe Mode with command prompt'. (Previous postings above indicate this "rarely works". That may be true in earlier Windows versions - in this case it worked).

4. At some point your PC should eventually display an old DOS-based Command Prompt window.

5. Type 'msconfig' on the line and hit 'Enter'. 'Normal Startup' will normally be selected. Change this to select 'Selective startup'.

6. Select the 'Startup' tab. You will see a list of programs that get started when your PC boots up. Somewhere in that list of checked items is the virus. In this case it was executing as 'avsecurity.exe' and had a Startup Item/Manufacturer named 'AVAST' or 'OVAST'. Please note that it may also be executing as 'avgsecurity.exe'.

7. Hover your mouse over the Location column. The hard drive location of the virus will appear on the screen. Make a note of its location (in this case it was under 'C:\ProgramData\avsecurity.exe').

8. Still on the 'Startup' tab, uncheck the checkbox under the Startup Item column and hit 'Apply', then 'OK' or 'Cancel'.

9. Now get rid of the virus executable. Type 'explorer' on the command line. This will start Windows File Explorer. Navigate to the hard drive location of the virus as noted in #7 above. Select the virus by clicking ONCE on the file (not TWICE! Double-clicking on the virus will start it up!). Right-click and select 'Delete' or hit your 'Delete' key on the keyboard and delete the virus program.

10. Now get rid of all the remnants of the virus from your registry (this step might actually be optional as the physical program virus has already been deleted from the system). Type 'regedit' on the command line. From the Registry Editor, select 'Edit' from the top menu and then select the 'Find' option. Type in 'InternetSecurity' as the search string. If/when found, some of the listed 'subkeys' should reference 'avsecurity'. The date/time stamp of the registry entry should also coincide with when your PC became infected. If/when found, right-click on the entry and select 'Delete'.

11. REMAIN DISCONNECTED FROM THE INTERNET and reboot your PC doing a "normal"/regular startup.

12. The virus should be gone and your PC should be functioning normally (unless the virus has resided so long on your PC and remained connected to the internet that the AVG Security virus has installed OTHER viruses on your PC).

13. If everything appears to be operating OK, start the Task Manager (right-click on the taskbar at the bottom of the screen or type 'taskmgr' from a Run prompt).

14. Examine running Processes - avsecurity.exe as well as any 'tssd.exe' or 'shdw.exe' programs should not be seen.

15. Reconnect to the internet when ready.

Disclaimer: These steps may not work in all cases! The virus above was stopped (by a hard PC shutdown) and had its internet connection severed within 2 minutes of infection. It had very little time in which to do significant damage.

[3]

Developers[edit]

An analysis of the virus' graphical user interface, actions (dropping malware which attempts to send users to the same exact adult websites), and method of infection reveals it is likely that this piece of malware was developed, or at least inspired by, the same group which developed the fraudulent Antivirus System PRO, Antispyware Soft, Antivirus Center, and Antivirus Live, along with a number of other rogue antivirus applications. The claim on AV Security Suite's website, however, states that the developers of the program are based in London.

References[edit]

  1. ^ BleepingComputer - AV Security Suite
  2. ^ Virus Removal Guru - AV Security Suite
  3. ^ Posted as expert in IBM mainframe and Windows PC software development and architecture and personal recent experience with this virus and its successful removal.