Home / malwarePDF  

Trojan:Win32/InternetAntivirus


First posted on 24 April 2009.
Source: SecurityHome

Aliases :

Trojan:Win32/InternetAntivirus is also known as Also Known As:not-a-virus:FraudTool:Win32.GeneralAntivirus.b, Mal/FakeAV-AC (Sophos), TrojanDownloader:Win32/Renos.gen!Z (other), Fraudtool.GeneralAntivirus.C (VirusBuster), InternetAntivirus (Symantec), General Antivirus (other), Personal Antivirus (other).

Explanation :

Trojan:Win32/InternetAntivirus is a rogue program that displays false and misleading alerts regarding malware, in order to convince users to purchase rogue security software. This program also displays a fake "Windows Security Center" message.

Special Note:

Reports of rogue Antivirus programs have been more prevalent as of late. These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software. Some of these programs, such as Trojan:Win32/Antivirusxp and Program:Win32/FakeRednefed may display product names or logos in an apparently unlawful attempt to impersonate Microsoft products. These products may represent themselves as “Antivirus XP”, “AntivirusXP 2008”, “WinDefender 2008”, “XP Antivirus”, or similar. Use Microsoft Windows Defender, the Windows Live safety scanner (http://onecare.live.com/site/en-us/default.htm), or another up-to-date scanning and removal tool to detect and remove these threats and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.

Symptoms
System ChangesThe following system changes may indicate the presence of Win32/InternetAntivirus:

  • The presence of the following files:
    %ProgramFiles%Internet Antivirusinternetantivirus.exe
  • %ProgramFiles%Internet Antivirusiaupdater.exe %ProgramFiles%Internet Antivirusiavir.exe %ProgramFiles%Internet Antivirusunins000.exe%ProgramFiles%Internet Antivirusiv.exe
  • The presence of a program folder named "Internet Antivirus" in the Start Menu
  • The presence of the following Desktop icon
  • The presence of the following registry subkeys:
    HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunInternet Antivirus
  • HKLMSoftwareMicrosoftWindowsCurrentVersionUninstallInternet Antivirus_is1
  • The display of the following application window and false "Windows Security Center" alert:




  • Win32/InternetAntivirus is a rogue program that displays false and misleading alerts regarding malware, in order to convince users to purchase rogue security software. This program also displays a fake "Windows Security Center" message.

    Installation
    Trojan:Win32/InternetAntivirus has been distributed as names such as the following examples:
  • Personal Antivirus
  • General Antivirus
  • Win32/InternetAntivirus is installed by downloading a setup application from the product website and/or by social engineering from third party websites. Once installed, the following folders are created: %ProgramFiles%Internet Antivirus<Start Menu>ProgramsInternet Antivirus The installer creates the following files: %ProgramFiles%Internet Antivirusinternetantivirus.exe %ProgramFiles%Internet Antivirusiaupdater.exe %ProgramFiles%Internet Antivirusiavir.exe %ProgramFiles%Internet Antivirusunins000.exe%ProgramFiles%Internet Antivirusiv.exe<Start Menu>ProgramsInternet Antivirusuninstall.ico<Start Menu>ProgramsInternet Antivirusactivate.ico<Start Menu>ProgramsInternet AntivirusInternet Antivirus Home Page.lnk<Start Menu>ProgramsInternet AntivirusPurchase License.lnk Note - <Start Menu> refers to a variable location that is determined by the malware by querying the Operating System. The default location for the 'Start Menu' folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%Start Menu'. For Windows Vista, the default location is ''%USERPROFILE%AppDataRoamingMicrosoftWindowsStart Menu'. The registry is modified to run Win32/InternetAntivirus at each Windows start. Adds value: "Internet Antivirus"With data: "%ProgramFiles%Internet Antivirusiavir.exe"To subkey: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun The installer may add an entry in 'Add/Remove Programs' for Win32/InternetAntivirus named "Internet Antivirus". An application shortcut named "Internet Antivirus" is created on the desktop resembling the following icon image: Win32/InternetAntivirus displays random and frequent false warnings from an icon in the Windows system tray as in these examples: Win32/InternetAntivirus displays an application screen similar to the following examples: When a user clicks 'Get license', the following screen is displayed: Win32/InternetAntivirus displays a fake "Windows Security Center" message attempting to convince the user the computer is infected as in the following example:

    Analysis by Subratam Biswas

    Last update 24 April 2009

     

    TOP