Home / malware Program:Win32/AntivirusProtection
First posted on 06 July 2009.
Source: SecurityHomeAliases :
Program:Win32/AntivirusProtection is also known as Also Known As:FakeAlert-Y (McAfee), SpyDestroy (Symantec), W32/SpyDestroy.A (Norman), Win32/Adware.PestBot (ESET), Adware Patrol (other), Doctor Adware (other), SpyDestroy Pro (other).
Explanation :
Program:Win32/AntivirusProtection is a program that displays false and misleading alerts regarding malware, in order to convince users to purchase rogue security software.
Symptoms
System ChangesThe following system changes may indicate the presence of Program:Win32/AntivirusProtection:Presence of the following files:
%ProgramFiles%Antivirus Protectionantivirusprotection.exe
<system folder>filekiller.dllPresence of the following Start Menu shortcuts:
ProgramsAntivirus ProtectionAntivirus Protection.lnk
ProgramsAntivirus ProtectionUninstall.lnk
ProgramsAntivirus ProtectionWebsite.lnkPresence of this registry value and data:
Value: AntivirusProtection
With data: "%ProgramFiles%Antivirus Protectionantivirusprotection.exe /scanstartup"
In subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunProgram:Win32/AntivirusProtection may launch at each Windows start with an application window such as this:
Program:Win32/AntivirusProtection is a program that displays false and misleading alerts regarding malware, in order to convince users to purchase rogue security software.
Installation
Win32/AntivirusProtection can be installed manually via an installation package. During installation, it may drop the following files, detected as Program:Win32/AntivirusProtection:%ProgramFiles%Antivirus Protectionantivirusprotection.exe <system folder>filekiller.dll The installer may create other program shortcuts in the Start Menu, such as the following:%USERPROFILE%Start MenuProgramsAntivirus ProtectionAntivirus Protection.lnk %USERPROFILE%Start MenuProgramsAntivirus ProtectionUninstall.lnk %USERPROFILE%Start MenuProgramsAntivirus ProtectionWebsite.lnk The installer may modify the registry to execute Win32/AntivirusProtection at each Windows start.Adds value: AntivirusProtectionWith data: "%ProgramFiles%Antivirus Protectionantivirusprotection.exe /scanstartup"To subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun The installer may add the following additional registry values and data, including one that establishes the application path of the program.Adds value: "@"With data: "%ProgramFiles%Antivirus Protectionantivirusprotection.exe"To subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionApp PathsAntivirusProtection.exe Adds value: "Antivirus Protection"To subkey: HKEY_LOCAL_MACHINESOFTWARETelecom Advance Adds value: "Antivirus Protection"To subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstall Once installed on the system, Program:Win32/AntivirusProtection may display false alerts of infection as an attempt to convince users to purchase the rogue security application. Below is an example of a false report on a clean machine: Additional InformationWin32/AntivirusProtection may be distributed with any of the following names:Adware Patrol Doctor Adware Spyware Remover Adware Remover SpyDestroy Pro
Analysis by Elda DimakilingLast update 06 July 2009