Another fake Windows Security Center has emerged. Much like versions in the past, on appearance this one is nearly identical to the actual Windows Security Center. And like older versions, it is installed by a trojan and falsely warns the user of non-existent infections (the true infection is the fake Security Center). The infection runs as the process seccenter.exe, which launches the fake security center interface. The malicious file is located at c:\windows\system32\seccenter.exe. A complimentary process runs here: c:\windows\system32\drivers\lssas.exe. The infection alters the registry settings that deal with a variety of critical system settings such as proxy settings: HKCU\Software\Microsoft\windows\CurrentVersion\Int ernet ProxyEnable Settings\ with the ValueData: "0x0".
Here is a frightening article from CA Security Advisor:
The “security center” repeatedly nags the user to download “Windefender 2008” by blocking outgoing Internet connections and opening a security bar like the one below and also by blocking the webpage from loading properly. By limiting the user’s Internet connection to primarily downloading WinDefender 2008 (win-defender(DOT)com/export/shield.php), the user cannot download a legitimate anti-malware product to remove the infection. This is not a new technique – past infections have blocked users from updating their anti-malware products or connecting to legitimate security sites. This infection returns ‘the page cannot be displayed error’ and on that page a link to WinDefender 2008 is also displayed
Full Article/ScreenShots
Here
