Home / malwarePDF  

Trojan:Win32/Antivirusxp


First posted on 03 May 2016.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Antivirusxp.

Explanation :

Win32/Antivirusxp is a rogue security program that displays misleading alerts regarding computer problems or falsely reports detections of malicious files on the affected machine in order to convince users to purchase rogue security software.

Installation

The program can be installed from the developer's Web site or by social engineering from third party Web sites. During installation, Win32/Antivirusxp creates the following folders:

  • %APPDATA%\, for example %APPDATA%\rhcjdvj0e163
  • %APPDATA%\rhcjdvj0e163\quarantine\browserobjects
  • %APPDATA%\rhcjdvj0e163\quarantine\packages
  • %APPDATA%\rhcjdvj0e163\quarantine\autorun\hkcu\runonce
  • %APPDATA%\rhcjdvj0e163\quarantine\autorun\hklm\runonce
  • %APPDATA%\rhcjdvj0e163\quarantine\autorun\startmenuallusers
  • %APPDATA%\rhcjdvj0e163\quarantine\autorun\startmenucurrentuser
  • %ProgramFiles%\rhcjdvj0e163
  • %USERPROFILE%\Start Menu\Programs\Antivirus xp 2008
The installer may create the following files
  • %ProgramFiles%\rhcjdvj0e163\.exe, for example "rhcjdvj0e163.exe"
  • %ProgramFiles%\rhcjdvj0e163\uninstall.exe
  • %USERPROFILE%\Start Menu\Programs\Antivirus xp 2008\register antivirus xp 2008.lnk
  • %USERPROFILE%\Start Menu\Programs\Antivirus xp 2008\how to register antivirus xp 2008.lnk
  • %USERPROFILE%\Start Menu\Programs\Antivirus xp 2008\antivirus xp 2008.lnk
  • %USERPROFILE%\Start Menu\Programs\Antivirus xp 2008\uninstall.lnk
The main executable for Win32/Antivirusxp drops another file with a random name which displays a false alert that the system is infected. The alert also promote the rogue scanner to remove the fictional threats. The registry is modified with the addition of numerous values and data. The subkeys or data values listed below as "rhcjdvj0e163" are randomly generated and may differ from installation to installation. Adds value: "RegistrationUrl"With data: ""To subkey: HKLM\Software\rhcjdvj0e163 Adds value: "SMrhcjdvj0e163"With data: "%ProgramFiles%\rhcjdvj0e163\rhcjdvj0e163.exe"To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Adds value: "DisplayName"With data: "antivirxp08"To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\rhcjdvj0e163 Adds value: "LastTimeStamp"With data: "÷"To subkey: HKLM\Software\rhcjdvj0e163 Adds value: "AntivirXP08"With data: "antivirxp08"To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform After installation, the following changes may be noticed or observed:
    System tray icon:

    An application shortcut named Antivirus XP 2008 is created on the desktop:

    Random and frequent false alerts of threats from the System tray as pop-up balloons:

    Displays the following messages when the program is run or the alert clicked:

    If user proceeds with removal, user is presented with “registration” window :

    Win32/Antivirusxp may display an imitation "Security Center":



Additional Information

Win32/Antivirusxp may modify registry data regarding display properties, as in the following examples: Modifies value: NoDispScrSavPageWith data: 1In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop This will hide the "Screen Saver" tab from the Display applet in Control Panel, or when viewing desktop properties. Modifies value: NoDispBackgroundPageWith data: 1In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System This will remove the "Background" tab from the Display applet in Control Panel, or when viewing desktop properties. These values may appear unmodified due to group policy configurations within a business or public usage environment.

Analysis by Subratam Biswas

Last update 03 May 2016

 

TOP

Malware :