HOME > VIRUS ALERTS


VIRUS ALERTS

Malicious Program:W32/Antivirusxp

Original issue date: September 03, 2008

It has been observed that Progrm:Win32/Antivirus2008 is circulating widely. It is a rogue security program that display fake warning messages indicating that” spyware or malware has been detected on the machine” in order to convince users to purchase rogue security software.

This program is detected as Trojan Generic FakeAlert.a/ AntiVirus2008.

Aliases:

Trojan.FakeAV.Winfixer (Clam AV)
Win32/Adware.WinFixer (ESET)
Generic FakeAlert.a (McAfee)
W32/WinFixer.BTB (Norman)
Troj/FakeAV-AB (Sophos)
AntiVirus2008 (Symantec)
Antivirus XP 2008 (other)

It may be dropped by malwares (Trojan:Win32/Renos ) or downloaded from a remote sites. In the former case the Trojan contacts any of the domains such as antivirusxp-2008 DOTnet, antivirusxp08 DOT net, avxp08 DOT net and avxp-2008 DOT net and download the malware.

For example:

http://antivirusxp-2008.net/*/*/047ec50c-d8cb-4049-8813-d8d27517979f.gif

This malware is appended in encrypted form at the end of the downloaded gif image and the Trojan downloader decrypts it and saves it to the temp folder and executes it.

Program :Win32/Antivirusxp drops another file with a random name which displays a false alert that the system is infected. The alert also  promote the rogue scanner to remove the fictional threats. The user may be asked via a dialog message window to purchase rogue security software.

The activities of W32/Antivirusxp upon execution:
  • Creates the following directories
    • %APPDATA%\<random folder name>for example %APPDATA%\rhcjdvj0e163
    • %APPDATA%\rhcjdvj0e163\quarantine\browserobjects
    • %APPDATA%\rhcjdvj0e163\quarantine\packages
    • %APPDATA%\rhcjdvj0e163\quarantine\autorun\hkcu
      \runonce
    • %APPDATA%\rhcjdvj0e163\quarantine\autorun\hklm
      \runonce
    • %APPDATA%\rhcjdvj0e163\quarantine\autorun
      \startmenuallusers
    • %APPDATA%\rhcjdvj0e163\quarantine\autorun\
      startmenucurrentuser
    • %ProgramFiles%\rhcjdvj0e163
    • %USERPROFILE%\Start Menu\Programs\Antivirus
      xp 2008

  • Drops the following files
    • %ProgramFiles%\rhcjdvj0e163\<random file name>.exe for example "rhcjdvj0e163.exe"
    • %ProgramFiles%\rhcjdvj0e163\uninstall.exe
    • %USERPROFILE%\Start Menu\Programs\Antivirus
      xp 2008\register antivirus xp 2008.lnk
    • %USERPROFILE%\Start Menu\Programs\Antivirus
      xp 2008\how to register antivirus xp 2008.lnk
    • %USERPROFILE%\Start Menu\Programs\Antivirus
      xp 2008\antivirus xp 2008.lnk
    • %USERPROFILE%\Start Menu\Programs\Antivirus
      xp 2008\uninstall.lnk

  • Adds the following registries
    • HKLM\Software\rhcjdvj0e163
      RegistrationUrl ="<rogue scanner domain.com/buy>"
    • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
      SMrhcjdvj0e163="%ProgramFiles%\rhcjdvj0e163\
      rhcjdvj0e163.exe"
    • HKLM\Software\Microsoft\Windows\CurrentVersion\
      Uninstall\rhcjdvj0e163
      DisplayName=”"antivirxp08”
    • HKLM\Software\rhcjdvj0e163

      "LastTimeStamp"="÷"

    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
      Internet Settings\User Agent\Post Platform
      AntivirXP08"="antivirxp08"

  • Modify the registry keys
    • HKLM\Software\Microsoft\Windows\CurrentVersion\
      Policies\ActiveDesktop
      NoDispScrSavPage=1 to hide the screen saver tab
      from control panel
    • HKCU\Software\Microsoft\Windows\CurrentVersion\
      Policies\System
      NoDispBackgroundPage=1 to remove the "Background" tab from the Display applet in Control Panel

  • Creates a system-tray icon

 

  • An application shortcut named Antivirus XP 2008 is created on the desktop:

 

  • Random and frequent false alerts of threats from the System tray as pop-up balloons:


  • Displays the following messages when the program is run or the alert clicked:

 

  • If user proceeds with removal, user is presented with “registration” window :

 

  • Win32/Antivirusxp may display an imitation " Security Center "

 

  • Some variants
    • try to connect to a remote server on port 443
    • Created new processes like bEvtSvc.exe,lphc35dj0erc1.exe,blphc35dj0erc1.scr
    • Creates mutex objects to mark their presence in the system.
    • Creates new system services

Removal

  • Temporarily Disable System Restore
  • Update the virus definitions.
  • Reboot computer in SafeMode
  • Run a full system scan and clean/delete all infected file(s)
  • Delete/Modify any values added to the registry

In view of rapid propagation of the Program:Win32/AntivirusXP, users are advised to implement the following countermeasures:

  • Exercise caution while opening e-mail attachments received from unknown sources.
  • Keep up-to-date patches and fixes on the operating system and application software.
  • Keep up-to-date Antivirus and Antispyware signatures

References

http://onecare.live.com/standard/en-us/virusenc/
virusencinfo.htm?VirusName=Program:Win32/
Antivirusxp
http://www.microsoft.com/security/portal/Entry.aspx?
name=Program%3aWin32%2fAntivirusxp
http://www.sophos.com/security/analyses/viruses-and-
spyware/trojfakeavcp.html
http://www.sophos.com/security/analyses/viruses-and-
spyware/trojfakeavl.html
http://www.sophos.com/security/analyses/viruses-and-
spyware/trojfakeavcm.html

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003