*Sypmtom of Infection*

[Hoax.UltimateDefender] overwrites beep.sys(Windows driver file) for inducing installation of UltimateDefender(Adware.UltimateDefender.R) and it is executed by injecting to System process. Regularly it popups a fake infection warning message.

[PIC 1] Fake infection warning message

[PIC 2] Below page could be showed by clicking warning message.

Also, it makes hard to search/delete malicious code files by working itself as RootKit and Hidden Process.

[PIC 3] NtQuerySystemInformation Hooking

It modifies Internet Explorer default search URL to http://www.google.com/, and start page to http://www.google.com/ie.

*Related Malicious Codes*

Adware.UltimateDefender.R
Backdoor.Win32.Small.6144.C
Hoax.UltimateDefender.58880
Hoax.UltimateDefender.16384
Hoax.UltimateDefender.34304
Adware.Agent.6656

*Related URL*

hxxp://www.(...)search.net/
hxxp://www.(...)cashier.com/

*FIle*

[Hoax.UltimateDefender] creates files like below.

(Malicious code execute location)\delself.bat
(System Folder)\dllcache\beep.sys (Hoax.UltimateDefender.34304)
(System Folder)\braviax.exe (Hoax.UltimateDefender.16384)
(System Folder)\cru629.dat (Backdoor.Win32.Small.6144.C)
(System Folder)\users32.dat (Adware.Agent.6656)
(System Folder)\winivstr.exe
(Windows Folder)\braviax.exe (Hoax.UltimateDefender.16384)
(Windows Folder)\cru629.dat (Backdoor.Win32.Small.6144.C)

*Registry*

[Hoax.UltimateDefender] modifies registries like below.

> Before modification, registry value could be different by user's settings. Please be careful on manual recovery. <

[Before]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL:
"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
[After]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL:
"http://www.google.com/ie"

[Before]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page:
"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
[After]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page:
"http://www.google.com"

[Before]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page:
"http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home"
[After]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page:
"http://www.google.com"

[Before]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant:
"http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"
[After]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant:
"http://www.google.com"

[Before]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs:
""
[After]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs:
63 72 75 36 32 39 2E 64 61 74

*Notation*

"(All Users Account Folder)" could be different by users' settings, and generally this is "C:\Documents and Settings\(All Users Account)".

"(Desktop Folder)" could be different by OS, and generally this is "C:\Documents and Settings\(User Account)\Desktop".

"(Quick Launch Folder)" could be different by OS(or User), and generally this is "C:\Documents and Settings\(User Account)\Application Data\Microsoft\Internet Explorer\Quick Launch".

"(Temp Folder)" could be different by OS, and generally this is "C:\Documents and Settings\(User Account)\Local Settings\Temp".

"(Programs Folder)" could be different by OS, and generally this is "C:\Program File".

"(Windows Folder)" could be different by OS, and generally this is "C:\Windows".

"(System Folder)" could be different by OS, and generally this is "C:\Windows\System32".