Home / malwarePDF  

Program:Win32/AntivirusProtection


First posted on 06 July 2009.
Source: SecurityHome

Aliases :

Program:Win32/AntivirusProtection is also known as Also Known As:FakeAlert-Y (McAfee), SpyDestroy (Symantec), W32/SpyDestroy.A (Norman), Win32/Adware.PestBot (ESET), Adware Patrol (other), Doctor Adware (other), SpyDestroy Pro (other).

Explanation :

Program:Win32/AntivirusProtection is a program that displays false and misleading alerts regarding malware, in order to convince users to purchase rogue security software.

Symptoms
System ChangesThe following system changes may indicate the presence of Program:Win32/AntivirusProtection:

  • Presence of the following files:
    %ProgramFiles%Antivirus Protectionantivirusprotection.exe
    <system folder>filekiller.dll
  • Presence of the following Start Menu shortcuts:
    ProgramsAntivirus ProtectionAntivirus Protection.lnk
    ProgramsAntivirus ProtectionUninstall.lnk
    ProgramsAntivirus ProtectionWebsite.lnk
  • Presence of this registry value and data:
    Value: AntivirusProtection
    With data: "%ProgramFiles%Antivirus Protectionantivirusprotection.exe /scanstartup"
    In subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
  • Program:Win32/AntivirusProtection may launch at each Windows start with an application window such as this:




    • Program:Win32/AntivirusProtection is a program that displays false and misleading alerts regarding malware, in order to convince users to purchase rogue security software.

    Installation
    Win32/AntivirusProtection can be installed manually via an installation package. During installation, it may drop the following files, detected as Program:Win32/AntivirusProtection:
  • %ProgramFiles%Antivirus Protectionantivirusprotection.exe
  • <system folder>filekiller.dll
    • The installer may create other program shortcuts in the Start Menu, such as the following:
  • %USERPROFILE%Start MenuProgramsAntivirus ProtectionAntivirus Protection.lnk
  • %USERPROFILE%Start MenuProgramsAntivirus ProtectionUninstall.lnk
  • %USERPROFILE%Start MenuProgramsAntivirus ProtectionWebsite.lnk
    • The installer may modify the registry to execute Win32/AntivirusProtection at each Windows start.Adds value: AntivirusProtectionWith data: "%ProgramFiles%Antivirus Protectionantivirusprotection.exe /scanstartup"To subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun The installer may add the following additional registry values and data, including one that establishes the application path of the program.Adds value: "@"With data: "%ProgramFiles%Antivirus Protectionantivirusprotection.exe"To subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionApp PathsAntivirusProtection.exe Adds value: "Antivirus Protection"To subkey: HKEY_LOCAL_MACHINESOFTWARETelecom Advance Adds value: "Antivirus Protection"To subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstall Once installed on the system, Program:Win32/AntivirusProtection may display false alerts of infection as an attempt to convince users to purchase the rogue security application. Below is an example of a false report on a clean machine: Additional InformationWin32/AntivirusProtection may be distributed with any of the following names:
  • Adware Patrol
  • Doctor Adware
  • Spyware Remover
  • Adware Remover
  • SpyDestroy Pro


    • Analysis by Elda Dimakiling

    Last update 06 July 2009

     

    TOP

    Malware :