Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Beware of Hicurdismos: A fake Microsoft Security Essentials installer

22 Oct 2016   #1
Brink

64-bit Windows 10 Pro
 
 
Beware of Hicurdismos: A fake Microsoft Security Essentials installer

Quote:
Wouldn’t it be a shame if, in trying to secure your PC, you inadvertently install malware and run the risk of being scammed?

We recently discovered a threat detected as SupportScam:MSIL/Hicurdismos.A that pretends to be a Microsoft Security Essentials installer. Microsoft Security Essentials is our antimalware product for Windows 7 and earlier. In Windows 10 and Windows 8, Windows Defender provides antimalware protection and is installed and enabled by default when Windows is installed. However, some users may believe they also need to download and install Microsoft Security Essentials.

Hicurdismos uses a fake Windows error message (sometimes called a “blue screen of death”, or BSoD) to launch a technical support scam. A real BSoD is a fatal error in which the screen turns blue and the computer crashes. Recovery from a BSoD error typically requires the user to reboot the computer.

The fake BSoD screen includes a note to contact technical support. Calling the indicated support number will not fix the BSoD, but may lead to users being encouraged to download more malware under the guise of support tools or software that is supposed to fix a problem that doesn’t exist.

Interestingly, the fake BSoD screen used by Hicurdismos mimics an error message used in Windows 8 and Windows 10, so users of these new Windows versions could also be at risk of being tricked by Hicurdismos.

The threat of technical support scams has been around for years, but it’s recently been observed to be growing. We’ve seen attackers becoming more sophisticated with their social engineering tactics to try to mislead users into calling for technical support and then they are asked for payment to “fix the problem” on the PC that does not exist. Real error messages from Microsoft do not include support contact details. See the bottom of this blog for links and information on how to contact Microsoft Support.



Figure 1. Hicurdismos displays a fake BSoD message that has contact details for fake support. Note: The real messages do not include support contact details, nor when you call for support are you asked for payment.

Hicurdismos is an installer that arrives via a drive-by download. SmartScreen Filter in Internet Explorer and Microsoft Edge flags this threat using the below prompts cautioning the user to not run or save the malware:

You will not get warnings like these when downloading and installing legitimate programs from Microsoft.

If the malicious installer is downloaded on the computer, it mimics the real Microsoft Security Essentials installer by using a similar icon. However, closer inspection will reveal differences in the file properties, including the filename. Hicurdismos uses the file name setup.exe.



Figure 2. SmartScreen message notifying you about running an executable file that could harm your PC.



Figure 3. SmartScreen message notifying you that the program you are about to run hasn’t been verified, and doing an extra check of whether you’d still run it.



Figure 4. The Hicurdismos installer (right) attempts to mimic the icon of the real Microsoft Security Essentials installer (left), but file properties reveal that it is not the same.

The file setup.exe is a SmartInstaller package, which contains a malicious file that pretends to be Microsoft Security Essentials. Unlike the installer, the malicious file has the same file property information as the legitimate Microsoft Security Essentials executable:



Figure 5. The file property information of Hicurdismoshas the same details as Microsoft Security Essentials.

When run, the malware immediately renders the fake BSoD experience. To do so, it performs the following:
  • Hides the mouse cursor (to make the user think the system is not responding)
  • Disables Task Manager (to prevent the user from terminating the process)
  • Displays the BSoD image, which occupies the entire screen (to prevent the user from using the PC)


Figure 6. Disassembly shows how the malware hides the cursor and disables Task Manager



Figure 7. Disassembly shows how the malware displays the fake BSoD

The malware drops a copy of itself in the following path:

%SystemRoot%\bluesquarez llc\sysprotector\microsoft security essentials.exe

It also creates an auto start launch point in the registry:

In subkey: HKEY_USERS\<SID/user>\Software\Microsoft\Windows\CurrentVersion\Run

Sets value: “Sysprotector

With data: “%SystemRoot%\bluesquarez llc\sysprotector\microsoft security essentials.exe

Mitigation and Prevention

Hicurdismos misleads users and lures them into calling a number that can lead to a fake technical support scam. Like most social engineering techniques, it can be avoided by knowledge and alertness. Some important things to note:
  • Real error message screens do not include a support phone number, instead they will provide you with an error code and instructions to search for more information.
  • On Windows 10, Windows Defender is built-in, so there is no need to install Microsoft Security Essentials.
  • Microsoft installers are signed by a Microsoft certificate.
If you are infected with this scam, use Windows Defender Offline to scan your PC.



Figure 8. Comparing the real BSoD screen (left) and the fake BSoD (right) side-by-side shows the additional line that contains the fake support contact details

Report the incident to Microsoft and contact your local scam-reporting organization. Organizations for the United States, Canada, United Kingdom, and Australia include:
When you receive a phone call or see a pop-up window on your PC and you are uncertain whether it is from someone at Microsoft, don’t take the risk. Reach out directly to one of our technical support experts dedicated to helping you at the Microsoft Answer Desk.

In case you have already engaged with and paid for a fake support:
  • Apply all security updates as soon as they are available. Do a full scan to remove the threat.
  • Change your passwords.
  • Call your credit card provider to reverse the charges, if you have already paid.
  • Monitor anomalous logon activity. Block traffic to services that you would not normally access.
Reference SHA1: e1e78701049a5e883a722a98cdab6198f7bd53a1

Francis Tan Seng and Alden Pornasdoro

MMPC


Source: Beware of Hicurdismos: It's a fake Microsoft Security Essentials installer that can lead to a support call scam Microsoft Malware Protection Center


My System SpecsSystem Spec
.
23 Oct 2016   #2
Anak

Microsoft Community Contributor Award Recipient

Win 7 Home Premium 64bit Ver 6.1.7600 Build 7601 - SP1
 
 

Hi Shawn,

Maybe it's my dyslexia kicking in, but isn't the description of the setup installers in Figure 4 backwards; Maybe msft-mmpc transposed the pics or file descriptions??
The castle icons for MSE can be detailed or plain as shown, but the file descriptions under the icons don't seem to match what msft-mmpc is trying to say in the Figure 4 caption.

Beware of Hicurdismos: A fake Microsoft Security Essentials installer-herki.png

Shouldn't:
Figure 4. The Hicurdismos installer (left) attempts to mimic the icon of the real Microsoft Security Essentials installer (right), but file properties reveal that it is not the same.

Be:
Figure 4. The Hicurdismos installer (right) attempts to mimic the icon of the real Microsoft Security Essentials installer (left), but file properties reveal that it is not the same.


My System SpecsSystem Spec
23 Oct 2016   #3
marsmimar

Microsoft Community Contributor Award Recipient

 
 

My thoughts also, Steve.
My System SpecsSystem Spec
.

23 Oct 2016   #4
Brink

64-bit Windows 10 Pro
 
 

Good catch Steve. It does look like MS made a mistake.
My System SpecsSystem Spec
24 Oct 2016   #5
Anak

Microsoft Community Contributor Award Recipient

Win 7 Home Premium 64bit Ver 6.1.7600 Build 7601 - SP1
 
 

Thanks Lee, and Shawn,

I re-checked the TechNet article and see that it and Shawn's post has been corrected.
My System SpecsSystem Spec
29 Oct 2016   #6
ThrashZone

Win-7-Pro64bit 7-H-Prem-64bit
 
 

Hi,
I can't believe it but my mother actually fell for this crap
Didn't pay but cripes :/
My System SpecsSystem Spec
29 Oct 2016   #7
Anak

Microsoft Community Contributor Award Recipient

Win 7 Home Premium 64bit Ver 6.1.7600 Build 7601 - SP1
 
 

Don't be too hard on Mom; I've been known to download a program from a "trusted" site and install without looking at the file descriptions, this has taught me a lesson on being more proactive in that respect.
My System SpecsSystem Spec
30 Oct 2016   #8
ThrashZone

Win-7-Pro64bit 7-H-Prem-64bit
 
 

Hi,
Yep she knows now
At least she did not pay them and the disk wasn't encrypted just needed some cleaning with adwcleaner/....
My System SpecsSystem Spec
30 Oct 2016   #9
Bertison

Windows 7/64 HPremium.
 
 

Thanks for the Heads Up Brink: I have copied & printed for the family PC users.

I really should visit here more often.
My System SpecsSystem Spec
Reply

 Beware of Hicurdismos: A fake Microsoft Security Essentials installer




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
New Scareware Displays Fake Microsoft Security Essentials Alerts
New Scareware Displays Fake Microsoft Security Essentials Alerts - Softpedia
System Security
Microsoft Killing MSE Security Essentials Fake.
More - Microsoft Killing Microsoft Security Essentials Fake – Security Essentials 2010 - With the Malicious Software Removal Tool - Softpedia
News
Microsoft Security Essentials installer zaps Automatic Updates setting
More... Warning: Microsoft Security Essentials installer zaps Automatic Updates setting | Anti virus - InfoWorld
News


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 18:09.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App