Other payload of Active Security includes the following:
It will modify Windows Registry and add the following entries:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run “ActiveSecurity.exe”
- HKEY_CURRENT_USER\Software\Active Security
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\Active Security
- HKEY_LOCAL_MACHINE\SOFTWARE\Active Security
The threat will drop the following malicious files:
- %Documents and Settings%\All Users\Start Menu\Programs\Active Security
- %Documents and Settings%\All Users\Application Data\Active Security
- %User Profile%\Local Settings\Temp
- %Program Files%\Active Security
- %Program Files%\Active Security\ActiveSecurity.exe
- %Program Files%\LabelCommand
- %System Root%\Samples
