SecurityRisk.SexxPass

[Brad]

Behavior
SecurityRisk.SexxPass is a security risk that adds certain domains to the trusted sites list in Internet Explorer. This means that downloads can occur automatically without explicit user consent.

Symptoms
Your Symantec program detects SecurityRisk.SexxPass.

Transmission
This security risk must be manually installed or may be installed as a component of another program.

technical details
File names: MBSInstallerAXC.ocx; winsysmon32.exe; winregmon32.exe

When SecurityRisk.SexxPass is executed, it performs the following actions:

   1. Adds the value:

      "winsys32mon" = "%System%\winsysmon32.exe"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      so that the risk runs every time Windows starts.

      Note: The threat will recreate this registry entry if it is deleted.

   2. Creates the following files:

          * %UserProfile%\Desktop\SexxxPassport Members.lnk
          * %Windir%\Downloaded Program Files\MBSInstallerAXC.ocx
          * %System%\icon_mb014.ico
          * %System%\icon_mb014.ico.bak0
          * %System%\SexxxPassport10.ico
          * %System%\winregmon32.exe
          * %System%\winsysmon32.exe

            Notes:
          * %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
          * %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
          * %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] (Windows NT/2000/XP).

   3. Creates the following registry subkeys:

      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03BEED0D-08D3-4F8A-B1FC-1125FD9CA2CA}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0AC31BDF-3BEF-40FD-B465-706C97AF54CC}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{128C578A-5E8D-4C8E-900B-235E490D3FA9}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{48C41D21-723A-4B41-A869-6C84326E219C}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C554BC41-3CBC-4074-AC8B-B2C0E4C04C06}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UBSInstallerProj1.UBSInstaller
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage
      \C:/WINDOWS/Downloaded Program Files/MBSInstallerAXC.ocx
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units
      \{0AC31BDF-3BEF-40FD-B465-706C97AF54CC}

   4. Restarts any of the following processes, if they are ended:

          * winregmon32.exe
          * winsysmon32.exe

   5. Creates the following registry subkeys:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
      \Internet Settings\ZoneMap\Domains\mbsvalid1.com
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
      \Internet Settings\ZoneMap\Domains\mbsvalid2.com

      so that files can be downloaded from the specified domains without user consent.

REMOVAL INSTRUCTIONS
See: http://securityresponse.symantec.com/avcenter/venc/data/securityrisk.sexxpass.html