Home / malwarePDF  

Antivirus Security Pro


First posted on 18 September 2013.
Source: Microsoft

Aliases :

There are no other names known for Antivirus Security Pro.

Explanation :

Threat behavior

Installation

Antivirus Security Pro creates an identifier made up of eight letters or numbers, for example, X7gngpng. It then creates a folder with this name under the %APPDATA% or <commonappdata> directory. It creates the following files in this directory:

  • <identifier>.exe - a copy of itself
  • <identifier>.ico - an icon file
  • <identifier>.in or <identifier><8 random letters or digits>.in - a data file
  • <identifier>.lg or <identifier><8 random letters or digits>.lg - a data file
  • <identifier>.exe.manifest - a data file
  • serv.bat - a MS DOS batch script that modifies the registry and stops services. It may also be detected as Rogue:Win32/Winwebsec


An example of these files could be:

  • %APPDATA%\X7gngpng\X7gngpng.exe
  • %APPDATA%\X7gngpng\X7gngpng.in
  • %APPDATA%\X7gngpng\X7gngpng.lg
  • %APPDATA%\X7gngpng\X7gngpng.exe.manifest
  • %APPDATA%\X7gngpng\X7gngpng.ico
  • %APPDATA%\X7gngpng\serv.bat
Antivirus Security Pro creates the following registry entry to ensure that it runs each time you start your computer:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: AS2014
With data: <location of malware copy> For example, %APPDATA%\X7gngpng\X7gngpng.exe)DATA

It creates a desktop shortcut with the file name <desktopdirectory>\Antivirus Security Pro.lnk, which looks like the following:



It also creates a URL shortcut on the desktop with the filename <desktopdirectory>\Antivirus Security Pro support.url:



It creates a shortcut in <start menu>\Programs\Antivirus Security Pro\Antivirus Security Pro.lnk.

It creates a URL shortcut in <start menu>\Programs\Antivirus Security Pro\Antivirus Security Pro support.url:



Payload


Displays a fake scanner

Antivirus Security Pro performs a fake scan of your computer. It then falsely claims that a number of files on your computer are infected with malware. It you that you need to pay money to register the program if you want to clean the reported infections.

Some examples of the interface, fake alerts, fake scanning results, and pop-ups are shown below:









































Antivirus Security Pro may show a user interface in English, French, German, Italian, Portuguese, or Spanish. However, the details of the threats detected are always reported in English. The following shows the Italian version of the user interface:











Terminates processes

Antivirus Security Pro can stop you from launching applications by blocking the process. It will show you a message that falsely claims that the process is infected. It continues to monitor all running processes, and may stop any new process when it is launched.

It will terminate any process unless it has one of the following file names:

winlogon.exe
userinit.exe
svchost.exe
csrss.exe
explorer.exe
iexplorer.exe
iexplore.exe
ieuser.exe
iedw.exe
ie4uinit.exe
lsass.exe
dumprep.exe
conhost.exe
dwm.exe
wuauclt.exe
taskeng.exe
sysdoctor.exe
dwwin.exe
verclsid.exe
vmtoolsd.exe
vmacthlp.exe
aeadisrv.exe
alg.exe
audiodg.exe
ctfmon.exe
cleaner.exe
dllhost.exe
httpd.exe
iastordatamgrsvc.exe
lsm.exe
mfnsvc.exe
mdnsresponder.exe
msdtc.exe
nvvsvc.exe
nvsvc.exe
pdagent.exe
searchindexer.exe
searchprotocolhost.exe
services.exe
slsvc.exe
smss.exe
snort.exe
spoolsv.exe
taskhost.exe
wininit.exe
wmiprvse.exe
winroute.exe
wmpnetwk.exe
wscntfy.exe
rundll32.exe
relver.exe
systeminfo.exe
makecab.exe
driverquery.exe
livesp.exe
nvscpapisvr.exe
werfault.exe
reg.exe
sc.exe
ping.exe

The following processes will always be terminated:

taskmgr.exe regedit.exe msconfig.exe safari.exe opera.exe firefox.exe chrome.exe cmd.exe

When it terminates a process it shows an image similar to the following:





Stops and disables services

Antivirus Security Pro attempts to stop the following services, and disable them so that they will not restart on system startup:

windefend (Windows Defender)
msmpsvc (Microsoft Security Essentials)
wuauserv (Windows Update)
wscsvc (Windows Security Center)

It also tries to disable the following service:

luafv (UAC File Virtualization Filter)

Modifies security settings

Antivirus Security Pro may try to modify your computer's security settings by making a number of registry modifications.

It tries to disable various Windows Security Center notifications by making the following changes to the registry:

In subkey: HKLM\SOFTWARE\Microsoft\Security Center
In subkey: HKLM\SOFTWARE\Microsoft\Security Center\svc
Sets value: "AntiVirusDisableNotify"
With data: "1"
Sets value: "AntiVirusOverride"
With data: "1"
Sets value: "FirewallDisableNotify"
With data: "1"
Sets value: "FirewallOverride"
With data: "1"
Sets value: "UpdatesDisableNotify"
With data: "1"

It tries to prevent the creation of automatic System Restore points by making the following changes to the registry:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Sets value: "RPSessionInterval"
With data: "0"

It tries to disable User Account Control (UAC) by making the following changes to the registry:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
Sets value: "EnableLUA"
With data: "0"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
Sets value: "EnableVirtualization"
With data: "0"

It tries to prevent Windows Defender from running at startup by deleting the following registry entries:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Deletes value: Windows Defender
Deletes value: MSASCui

It tries to disable System Protection by removing the following registry key:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP\Clients

Closes windows

If you try to open one of the following windows or programs, or if any alerts are displayed by these programs, the rogue may try to close them:

  • fwcplui_class (Windows Firewall)
  • msascui_class (Windows Defender)
  • wscui_class (Windows Security Center)


Blocks access to websites


The rogue may try to block access to some websites, instead showing a page similar to:





Analysis by David Wood





Symptoms System changes


The following system changes may indicate the presence of this malware:

  • The presence of a desktop icon and entry in the Start menu:

  • The presence of the following registry modifications:

    In subkey: HKLM\SOFTWARE\Microsoft\Security Center
    In subkey: HKLM\SOFTWARE\Microsoft\Security Center\svc
    Sets value: "AntiVirusDisableNotify"
    With data: "1"
    Sets value: "AntiVirusOverride"
    With data: "1"
    Sets value: "FirewallDisableNotify"
    With data: "1"
    Sets value: "FirewallOverride"
    With data: "1"
    Sets value: "UpdatesDisableNotify"
    With data: "1"

    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
    Sets value: "RPSessionInterval"
    With data: "0"

    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    Sets value: "EnableLUA"
    With data: "0"

    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    Sets value: "EnableVirtualization"
    With data: "0"



  • The display of the following messages:

    Some examples of the interface, fake alerts, fake scanning results, and pop-ups displayed by Antivirus Security Pro are shown below:
























Last update 18 September 2013

 

TOP

Malware :