W32/ErrorGuard.A!tr

description-logoAnalysis

The details for the ErrorGuard downloader are:
Typical Name: setuperrorguard.exe
File Size: 157,745
The details for the ErrorGuard executable are:
Name: ErrorGuard.exe
Description: Error Guard
Copyright: Copyright 2005. (c) - Error-Guard Inc.
File Version: 2.5.0.0
Product Version: 2.05
Description of malware:

The ErrorGuard program appears to run under the guise of legitimacy. The program is represented to be a Windows Security scanner. This program however can be downloaded without detection. It will then perform a scan of the registry, and pop up a window stating that a certain amount of "Severe System Threats" were detected. It will then prompt the user to pay for the program to correct the perceived threats. Below this a seemingly random list of (typically) legitimate registry entries are listed. Upon registering the program and clicking the "Repair" button the program will removed the register entries. Under many circumstances many programs, or perhaps even the PC itself will be rendered inoperable.
A screenshot of the program in action can be seen below:

The installation procedure is as below:
  • Upon executing the downloader the program performs a DNS lookup on www.errorguard.com.

  • An HTTP connection is then made to www.errorguard.com. The program then downloads several archives necessary for its installation.

  • It then extracts the retrieved archives to the undefinedwindows tempundefined directory.

  • A directory is created:
    undefinedprogramsundefined\Error Guard

  • Four files are dropped in the newly created directory:
    undefinedprogramsundefined\Error Guard\Error Guard.url
    undefinedprogramsundefined\Error Guard\ErrorGuard.exe
    undefinedprogramsundefined\Error Guard\eula.txt
    undefinedprogramsundefined\Error Guard\uninst.exe

  • The following are registry keys added:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Error Guard\
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ErrorGuard.exe

  • The ErrorGuard Start Menu group is also added.

recommended-action-logoRecommended Action

Insure that the latest AV signature file is present on your Fortigate or within your FortiClient. Should installation of ErrorGuard occur, be sure to uninstall it via the Add/Remove Programs applet within the Windows Control Panel.

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR