If anything can get under my skin, this will do it.  It seems we have another “Anti-Virus” program out there who’s only goal is to scare the user (who probably doesn’t know any better) into believing that the “sky is falling” and then requiring them to give up their credit card number in order not to get hit with the “falling sky”.  I’ve have had to spend a lot of my time this past week cleaning this one up because a couple of clients didn’t know any better. There have been numerous versions of this malware scam over the past few years, some examples are

A * Ad-Protect * AlfaCleaner * Antispyware Soldier * Anti-virus 2008  * Anti-Virus 2009 * AntiVermins * AntiVirGear * AntivirusGold B * BraveSentry * BreakSpyware C * CmdService * ContraVirus

D * DeluxeCommunications * Dr. AntiSpy E * ErrorSafe M * MalwareWipe * MrAntispy * Mirar * Movieland * MySpyProtector P * PestCapture * Pest Trap * Popcorn.net * PSGuard

S * Seekmo * Smitfraud * SpyAxe * SpyCrush * SpyDawn * SpyFalcon * SpyHeal * SpyLocked * SpyLocker * SpyMarshal * SpySheriff * SpyShield * SpySoldier * SpywareKnight * SpywareLocked * SpywareQuake * SpywareStrike * Starware * SystemDoctor

T * Toolbar888 U * UnSpyPC V * VirusBlast * VirusBurst * VirusBurster * VirusRay * VirusRescue W * Winfixer Z * Zango Search * Zlob

    and now joining the list is a Rogue Anti-Virus programs comes SaveSoldier. Here is information on the malware from the Panda Website ( http://www.pandasecurity.com/homeusers/security-info/212755/SaveSoldier (http://www NULL.pandasecurity NULL.com/homeusers/security-info/212755/SaveSoldier) ).

Effects

SaveSoldier is an adware (http://www NULL.pandasecurity NULL.com/glossary/glossary NULL.aspx#ADWARE) program that carries out the following actions:

• It reaches the computer downloaded from the following website:
  
• When the file is run, it is installed in the affected computer and starts scanning the system in search for possible malware.
• Once ended, it displays a warning message like the following, informing users that their computer is infected:
  
• If the button "Remind me later" is clicked, the interface of the program is displayed, which is like the following image:
  
• If users decide to follow the program’s instructions and remove the threats, the program will require a registration code:
  
• This code is obtained after purchasing the antivirus solution. Therefore, the user will be redirected to a website where it can be purchased:
  
• On the other hand, if users do not follow the program’s recommendations, it will display warning messages like the following to make them think their computer is infected:
  

<?xml version="1.0" encoding="utf-8"?>

Infection strategy

SaveSoldier creates a directory called SaveSoldier in the folder SaveSoldier Software (created by itself) of the Program Files directory and a group of programs with the same name in the Start menu.

SaveSoldier creates the following files in the folder SaveSoldier Software\SaveSoldier of the Program Files directory:

• SAVESOLDIER.EXE, which is a copy of itself.
• SAVESOLDIERSVC.EXE
• UNINSTALL.EXE

SaveSoldier creates the following entries (http://www NULL.pandasecurity NULL.com/glossary/glossary NULL.aspx#CLAVE) en el Windows Registry (http://www NULL.pandasecurity NULL.com/glossary/glossary NULL.aspx#REGISTRO):

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  SaveSoldier = C:\Program Files\SaveSoldier Software\SaveSoldier\SaveSoldier.exe – min
  By creating this entry, SaveSoldier ensures that it is run whenever Windows is started.
• HKEY_LOCAL_MACHINE\SOFTWARE\SaveSoldier
  Install_Dir = C:\Program Files\SaveSoldier Software\SaveSoldier
  By creating this entry, SaveSoldier creates a new directory.
• HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Uninstall\ SaveSoldier
  DisplayName = SaveSoldier
• HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Uninstall\ SaveSoldier
  UninstallString = C:\Program Files\SaveSoldier Software\SaveSoldier\uninstall.exe
• HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_SAVESOLDIERSVC\ 0000
  Class = LegacyDriver
• HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_SAVESOLDIERSVC\ 0000
  ClassGUID = {8ECC055D-047F-11D1-A537-0000F8753ED1}
• HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_SAVESOLDIERSVC\ 0000
  DeviceDesc = SaveSoldier Security Service
• HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_SAVESOLDIERSVC\ 0000
  Service = SaveSoldierSvc
• HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_SAVESOLDIERSVC\ 0000\ Control
  ActiveService = SaveSoldierSvc
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SaveSoldierSvc
  DisplayName = SaveSoldier Security Service
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SaveSoldierSvc
  ImagePath = C:\Program Files\SaveSoldier Software\SaveSoldier\SaveSoldierSvc.exe
• HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ SaveSoldierSvc\ Enum
  0 = Root\LEGACY_SAVESOLDIERSVC000
• HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ SaveSoldierSvc
  Start
• HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ SaveSoldierSvc\ Security
  Security

<?xm
l version="1.0" encoding="utf-8"?>

Means of transmission

SaveSoldier can be voluntarily downloaded from the website belonging to the company that has developed it.

<?xml version="1.0" encoding="utf-8"?>

Further Details

SaveSoldier is 712,704 bytes (http://www NULL.pandasecurity NULL.com/glossary/glossary NULL.aspx#BYTE) in size.

As additional information, a website that promotes another fake antivirus has been detected. In this case, it is called TrustNinja. The interesting thing is that both the format and content of this website is the same as the website of SaveSoldier . Only the references to SaveSoldier have been replaced with TrustNinja.

The file downloaded from this website is called TRUSTNINJA.EXE and once run, a program with the same interface and functions as SaveSoldier is installed on the computer. Even the fake results displayed when the scan is finished are the same. The only thing that changes is the name of the program.

As always, the 1st line of defense is to not click on every pop up that you see without reading it 1st.  Additionally, if your not sure what the message or the pop up is for, its always better to click on deny or no on a pop up if your not sure what its for or at least take the time to run a quick search on Bing or Google with the name of the pop up.  There are many sites out there that will tell you what the pop up is and if it is safe.