W32/ErrorGuard.A!tr
Analysis
The details for the ErrorGuard downloader are:
Typical Name: setuperrorguard.exe
File Size: 157,745
The details for the ErrorGuard executable are:
Name: ErrorGuard.exe
Description: Error Guard
Copyright: Copyright 2005. (c) - Error-Guard Inc.
File Version: 2.5.0.0
Product Version: 2.05
Description of malware:
The ErrorGuard program appears to run under the guise of legitimacy. The program is represented to be a Windows
Security scanner. This program however can be downloaded without detection. It will then perform a scan of the
registry, and pop up a window stating that a certain amount of "Severe System Threats" were detected. It will
then prompt the user to pay for the program to correct the perceived threats. Below this a seemingly random
list of (typically) legitimate registry entries are listed. Upon registering the program and clicking the
"Repair" button the program will removed the register entries. Under many circumstances many programs, or perhaps
even the PC itself will be rendered inoperable.
A screenshot of the program in action can be seen below:
Upon executing the downloader the program performs a DNS lookup on www.errorguard.com.
An HTTP connection is then made to www.errorguard.com. The program then downloads several archives necessary for its installation.
It then extracts the retrieved archives to the undefinedwindows tempundefined directory.
A directory is created:
undefinedprogramsundefined\Error GuardFour files are dropped in the newly created directory:
undefinedprogramsundefined\Error Guard\Error Guard.url
undefinedprogramsundefined\Error Guard\ErrorGuard.exe
undefinedprogramsundefined\Error Guard\eula.txt
undefinedprogramsundefined\Error Guard\uninst.exeThe following are registry keys added:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Error Guard\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ErrorGuard.exeThe ErrorGuard Start Menu group is also added.
Recommended Action
Insure that the latest AV signature file is present on your Fortigate or within your FortiClient. Should installation of ErrorGuard occur, be sure to uninstall it via the Add/Remove Programs applet within the Windows Control Panel.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |