Follow:

 

Best Antivirus Software


Best Antivirus Software is a variant of Win32/FakeVimes - a family of programs that claims to scan for malware and displays fake warnings of "malicious programs and viruses". They then inform the user that they need to pay money to register the software in order to remove these non-existent threats. It may also modify security settings, prevent programs from running, and modify the Hosts file.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Threat behavior

Best Antivirus Software is a variant of Win32/FakeVimes - a family of programs that claims to scan for malware and displays fake warnings of "malicious programs and viruses". They then inform the user that they need to pay money to register the software in order to remove these non-existent threats. It may also modify security settings, prevent programs from running, and modify the Hosts file.

Installation

Best Antivirus Software is installed by a downloader, wich may also be detected as Rogue:Win32/FakeVimes. This downloads an encrypted copy of the fake scanner, which it decrypts and writes to %common_appdata%\<five random hexadecimal digits>\BA<three random hexadecimal digits>_<four random decimal digits>.exe. An example location for Best Antivirus Software might be %common_appdata%\54fd6\BA3b8_8068.exe. It then launches the fake scanner.

It then creates a registry entry so that this copy is run each time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Best Antivirus Software"
With data: "<location of malware>" /s /d (for example, "%common_appdata%\54fd6\BA3b8_8068.exe" /s /d)

It drops an icon file BAS.ico to the same directory as the copied malware (for example, %common_appdata%\54fd6\BAS.ico)

It also creates empty folders "Quarantine Items" and "BASSys" under the same folder as the original copy of the scanner.

It creates a desktop shortcut at %desktopdir%\Best Antivirus Software.lnk.

It adds an item to Start Menu by creating a file at %startmenu%\Best Antivirus Software.lnk.

It adds an item to the Programs Menu by creating an file at %programs%\Best Antivirus Software.lnk.

It adds an icon to the Quick Launch bar by creating a file at %appdata%\Microsoft\Internet Explorer\Quick Launch\Best Antivirus Software.lnk.

Best Antivirus Software  then creates a configuration file in a location such as %common_appdata\BAZUVONHOS\BAUTS.cfg.

Lastly, it creates a number of small junk files in the %userprofile%\Recent directory, which it can report as infected when performing its fake scan. These files are harmless by themselves.

Payload

Displays fake scanner

The malware masquerades as an antivirus scanner, and displays a number of windows, dialog boxes and system tray pop-ups in an attempt to convince you that you are infected. This appears to be an attempt to replicate the appearance of Microsoft Security Essentials.

 

If you try to remove the listed threats, you will be taken to a webpage informing you that you must pay to register the scanner in order to do so.

Adds details to Security Center

The malware adds its details to the legitimate Security Center by dropping a file named <four digit random number>.mof (for example, 5668.mof) to the directory in which it is running, and then launching a system tool using this file as input. It adds itself as both the Antivirus Product and Firewall Product:

Modifies Hosts file

Best Antivirus Software modifies the Windows Hosts file. The local Hosts file overrides the DNS resolution of a website URL to a particular IP address. Malware may make modifications to the Hosts file in order to redirect specified URLs to different IP addresses. Malware often modifies an affected computer's Hosts file in order to stop users from accessing websites associated with particular security-related applications (such as antivirus, for example).

Best Antivirus Software attempts to modify the Hosts file at %windows%\drivers\etc\hosts to remove certain entries if they are present. These entries may have been added earlier (by competing malware, for instance, or even by another security-conscious administrator) to prevent you from visiting the websites of Win32/FakeVimes or its payment gateways.

Some variants of Win32/FakeVimes have also been reported to add additional entries to the Hosts file in order to block access to security related websites, or redirect visits to search pages to sites of the malware's choosing.

Monitors browser traffic

The malware creates the following registry entry, which causes Internet Explorer to use a web proxy on the local computer.

In subkey: HKCU\Software\Microsoft\Internet Explorer
Sets value: "PRS"
With data: "hxxp://127.0.0.1:27777/?inj=%ORIGINAL%"

It then listens on port 27777 for the proxied web traffic. Should it find pages that it does not want you to view, it may block access to this content, or close browser tabs or windows. Should access be blocked, it may display a page such as the following:

Modifies default search page

The malware attempts to alter the default search page for Internet Explorer by creating a registry entry such as the following:

In subkey: HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes
Sets value: "URL"
With data: "hxxp://findgala.com/?&uid=8068&q={searchTerms}"

Modifies security settings

It creates the following registry entries in an attempt to allow Internet Explorer to run unsigned or incorrectly signed executables without displaying a warning:

In subkey: HKCU\Software\Microsoft\Internet Explorer\Download
Sets value: "CheckExeSignatures"
With data: "no"
Sets value: "RunInvalidSignatures"
With data: "1"

It may attempt to allow itself access through Windows Firewall by creating the following registry entry:

In subkey: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "<location of malware>" (for example, %common_appdata%\54fd6\BA3b8_8068.exe)
With Data: "<location of malware>:*:Enabled:<Product Name>" (for example, %common_appdata%\54fd6\BA3b8_8068.exe:*:Enabled:Best Antivirus Software)

Some variants may also add the following:

In subkey: HKLM\System\CurrentControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: <location of malware> (for example, %common_appdata%\54fd6\BA3b8_8068.exe)
With Data: "<location of malware>:*:Enabled:<Product Name>" (for example, %common_appdata%\54fd6\BA3b8_8068exe:*:Enabled:Best Antivirus Software)

If the computer is running Windows Vista or later, FakeVimes may also temporarily modify the registry entries below, to allow the Hosts file changes above to be made without a UAC (User Account Control) warning being displayed. After it has performed the changes, it may increase the security on these entries, but may use values other than the ones originally used.

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Modifies value: "ConsentPromptBehaviorAdmin"
Modifies value: "ConsentPromptBehaviorUser"
Modifies value: "EnableLUA"

Prevents programs from running

The malware attempts to prevent a number of executables associated with Microsoft Security Essentials, Windows Defender, as well as E-set and AVG antivirus products from running. It does so by creating the following registry entries:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "DisallowRun"
With data: "1"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Sets value: "0"
With data: "msseces.exe"
Sets value: "1"
With data: "MSASCui.exe"
Sets value: "2"
With data: "ekrn.exe"
Sets value: "3"
With data: "egui.exe"
Sets value: "4"
With data: "avgnt.exe"
Sets value: "5"
With data: "avcenter.exe"
Sets value: "6"
With data: "avscan.exe"
Sets value: "7"
With data: "avgfrw.exe"
Sets value: "8"
With data: "avgui.exe"
Sets value: "9"
With data: "avgtray.exe"
Sets value: "10"
With data: "avgscanx.exe"
Sets value: "11"
With data: "avgcfgex.exe"
Sets value: "12"
With data: "avgemc.exe"
Sets value: "13"
With data: "avgchsvx.exe"
Sets value: "14"
With data: "avgcmgr.exe"
Sets value: "15"
With data: "avgwdsvc.exe"

The malware also attempts to prevent a number of other programs from running, by setting the harmless system process "svchost.exe" as a debugger for these programs. This means that when you attempt to launch one of these programs, svchost.exe is run instead of the program that you want to run.

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<file name of blocked program>
Sets value: "Debugger"
With data: "svchost.exe"

for example:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe
Sets value: "Debugger"
With data: "svchost.exe"

It does this for the following diagnostic or security-related security programs:

  • _ avp32.exe
  • _avpcc.exe
  • _avpm.exe
  • a.exe
  • aAvgApi.exe
  • AAWTray.exe
  • About.exe
  • ackwin32.exe
  • Ad-Aware.exe
  • adaware.exe
  • advxdwin.exe
  • agentsvr.exe
  • agentw.exe
  • alertsvc.exe
  • alevir.exe
  • alogserv.exe
  • AluSchedulerSvc.exe
  • amon9x.exe
  • anti-trojan.exe
  • antivirus.exe
  • ants.exe
  • apimonitor.exe
  • aplica32.exe
  • apvxdwin.exe
  • arr.exe
  • Arrakis3.exe
  • ashAvast.exe
  • ashBug.exe
  • ashChest.exe
  • ashCnsnt.exe
  • ashDisp.exe
  • ashLogV.exe
  • ashMaiSv.exe
  • ashPopWz.exe
  • ashQuick.exe
  • ashServ.exe
  • ashSimp2.exe
  • ashSimpl.exe
  • ashSkPcc.exe
  • ashSkPck.exe
  • ashUpd.exe
  • ashWebSv.exe
  • aswChLic.exe
  • aswRegSvr.exe
  • aswRunDll.exe
  • aswUpdSv.exe
  • atcon.exe
  • atguard.exe
  • atro55en.exe
  • atupdater.exe
  • atwatch.exe
  • au.exe
  • aupdate.exe
  • auto-protect.nav80try.exe
  • autodown.exe
  • autotrace.exe
  • autoupdate.exe
  • avadmin.exe
  • avcenter.exe
  • avciman.exe
  • avconfig.exe
  • avconsol.exe
  • ave32.exe
  • AVENGINE.EXE
  • avgcc32.exe
  • avgchk.exe
  • avgcmgr.exe
  • avgcsrvx.exe
  • avgctrl.exe
  • avgdumpx.exe
  • avgemc.exe
  • avgiproxy.exe
  • avgnsx.exe
  • avgnt.exe
  • avgrsx.exe
  • avgscanx.exe
  • avgserv.exe
  • avgserv9.exe
  • avgsrmax.exe
  • avgtray.exe
  • avgui.exe
  • avgupd.exe
  • avgw.exe
  • avgwdsvc.exe
  • avkpop.exe
  • avkserv.exe
  • avkservice.exe
  • avkwctl9.exe
  • avltmain.exe
  • avmailc.exe
  • avmcdlg.exe
  • avnotify.exe
  • avnt.exe
  • avp32.exe
  • avpcc.exe
  • avpdos32.exe
  • avpm.exe
  • avptc32.exe
  • avpupd.exe
  • avsched32.exe
  • avsynmgr.exe
  • avupgsvc.exe
  • AVWEBGRD.EXE
  • avwin.exe
  • avwin95.exe
  • avwinnt.exe
  • avwsc.exe
  • avwupd.exe
  • avwupd32.exe
  • avwupsrv.exe
  • avxmonitor9x.exe
  • avxmonitornt.exe
  • avxquar.exe
  • b.exe
  • backweb.exe
  • bargains.exe
  • bd_professional.exe
  • bdagent.exe
  • bdfvcl.exe
  • bdfvwiz.exe
  • BDInProcPatch.exe
  • bdmcon.exe
  • BDMsnScan.exe
  • bdreinit.exe
  • bdsubwiz.exe
  • BDSurvey.exe
  • bdtkexec.exe
  • bdwizreg.exe
  • beagle.exe
  • belt.exe
  • bidef.exe
  • bidserver.exe
  • bipcp.exe
  • bipcpevalsetup.exe
  • bisp.exe
  • blackd.exe
  • blackice.exe
  • blink.exe
  • blss.exe
  • bootconf.exe
  • bootwarn.exe
  • borg2.exe
  • bpc.exe
  • brasil.exe
  • brw.exe
  • bs120.exe
  • bspatch.exe
  • bundle.exe
  • bvt.exe
  • c.exe
  • cavscan.exe
  • ccapp.exe
  • ccevtmgr.exe
  • ccpxysvc.exe
  • ccSvcHst.exe
  • cdp.exe
  • cfd.exe
  • cfgwiz.exe
  • cfiadmin.exe
  • cfiaudit.exe
  • cfinet.exe
  • cfinet32.exe
  • cfp.exe
  • cfpconfg.exe
  • cfplogvw.exe
  • cfpupdat.exe
  • claw95.exe
  • claw95cf.exe
  • clean.exe
  • cleaner.exe
  • cleaner3.exe
  • cleanIELow.exe
  • cleanpc.exe
  • click.exe
  • cmd32.exe
  • cmdagent.exe
  • cmesys.exe
  • cmgrdian.exe
  • cmon016.exe
  • connectionmonitor.exe
  • control
  • cpd.exe
  • cpf9x206.exe
  • cpfnt206.exe
  • crashrep.exe
  • cssconfg.exe
  • cssupdat.exe
  • cssurf.exe
  • ctrl.exe
  • cv.exe
  • cwnb181.exe
  • cwntdwmo.exe
  • d.exe
  • datemanager.exe
  • dcomx.exe
  • defalert.exe
  • defscangui.exe
  • defwatch.exe
  • deloeminfs.exe
  • deputy.exe
  • divx.exe
  • dllcache.exe
  • dllreg.exe
  • doors.exe
  • dpf.exe
  • dpfsetup.exe
  • dpps2.exe
  • driverctrl.exe
  • drwatson.exe
  • drweb32.exe
  • drwebupw.exe
  • dssagent.exe
  • dvp95.exe
  • dvp95_0.exe
  • ecengine.exe
  • efpeadm.exe
  • egui.exe
  • ekrn.exe
  • emsw.exe
  • ent.exe
  • esafe.exe
  • escanhnt.exe
  • escanv95.exe
  • espwatch.exe
  • ethereal.exe
  • etrustcipe.exe
  • evpn.exe
  • exantivirus-cnet.exe
  • exe.avxw.exe
  • expert.exe
  • explore.exe
  • f-agnt95.exe
  • f-prot.exe
  • f-prot95.exe
  • f-stopw.exe
  • fact.exe
  • fameh32.exe
  • fast.exe
  • fch32.exe
  • fih32.exe
  • findviru.exe
  • firewall.exe
  • fixcfg.exe
  • fixfp.exe
  • fnrb32.exe
  • fp-win.exe
  • fp-win_trial.exe
  • fprot.exe
  • frw.exe
  • fsaa.exe
  • fsav.exe
  • fsav32.exe
  • fsav530stbyb.exe
  • fsav530wtbyb.exe
  • fsav95.exe
  • fsgk32.exe
  • fsm32.exe
  • fsma32.exe
  • fsmb32.exe
  • gator.exe
  • gbmenu.exe
  • gbpoll.exe
  • generics.exe
  • gmt.exe
  • guard.exe
  • guarddog.exe
  • guardgui.exe
  • hacktracersetup.exe
  • hbinst.exe
  • hbsrv.exe
  • History.exe
  • hotactio.exe
  • hotpatch.exe
  • htlog.exe
  • htpatch.exe
  • hwpe.exe
  • hxdl.exe
  • hxiul.exe
  • iamapp.exe
  • iamserv.exe
  • iamstats.exe
  • ibmasn.exe
  • ibmavsp.exe
  • icload95.exe
  • icloadnt.exe
  • icmon.exe
  • icsupp95.exe
  • icsuppnt.exe
  • Identity.exe
  • idle.exe
  • iedll.exe
  • iedriver.exe
  • IEShow.exe
  • iface.exe
  • ifw2000.exe
  • inetlnfo.exe
  • infus.exe
  • infwin.exe
  • init.exe
  • install.exe
  • install[1].exe
  • install[2].exe
  • install[3].exe
  • install[4].exe
  • install[5].exe
  • intdel.exe
  • intren.exe
  • iomon98.exe
  • istsvc.exe
  • jammer.exe
  • jdbgmrg.exe
  • jedi.exe
  • JsRcGen.exe
  • kavlite40eng.exe
  • kavpers40eng.exe
  • kavpf.exe
  • kazza.exe
  • keenvalue.exe
  • kerio-pf-213-en-win.exe
  • kerio-wrl-421-en-win.exe
  • kerio-wrp-421-en-win.exe
  • killprocesssetup161.exe
  • ldnetmon.exe
  • ldpro.exe
  • ldpromenu.exe
  • ldscan.exe
  • licmgr.exe
  • livesrv.exe
  • lnetinfo.exe
  • loader.exe
  • localnet.exe
  • lockdown.exe
  • lockdown2000.exe
  • lookout.exe
  • lordpe.exe
  • lsetup.exe
  • luall.exe
  • luau.exe
  • lucomserver.exe
  • luinit.exe
  • luspt.exe
  • mapisvc32.exe
  • mcagent.exe
  • mcmnhdlr.exe
  • mcmscsvc.exe
  • mcnasvc.exe
  • mcproxy.exe
  • McSACore.exe
  • mcshell.exe
  • mcshield.exe
  • mcsysmon.exe
  • mctool.exe
  • mcupdate.exe
  • mcvsrte.exe
  • mcvsshld.exe
  • md.exe
  • mfin32.exe
  • mfw2en.exe
  • mfweng3.02d30.exe
  • mgavrtcl.exe
  • mgavrte.exe
  • mghtml.exe
  • mgui.exe
  • minilog.exe
  • mmod.exe
  • monitor.exe
  • moolive.exe
  • mostat.exe
  • mpfagent.exe
  • mpfservice.exe
  • MPFSrv.exe
  • mpftray.exe
  • mrflux.exe
  • mrt.exe
  • msa.exe
  • msapp.exe
  • MSASCui.exe
  • msbb.exe
  • msblast.exe
  • mscache.exe
  • msccn32.exe
  • mscman.exe
  • msconfig
  • msdm.exe
  • msdos.exe
  • msfwsvc.exe
  • msiexec16.exe
  • mslaugh.exe
  • msmgt.exe
  • MsMpEng.exe
  • msmsgri32.exe
  • msseces.exe
  • mssmmc32.exe
  • mssys.exe
  • msvxd.exe
  • mu0311ad.exe
  • mwatch.exe
  • n32scanw.exe
  • nav.exe
  • navap.navapsvc.exe
  • navapsvc.exe
  • navapw32.exe
  • navdx.exe
  • navlu32.exe
  • navnt.exe
  • navstub.exe
  • navw32.exe
  • navwnt.exe
  • nc2000.exe
  • ncinst4.exe
  • ndd32.exe
  • neomonitor.exe
  • neowatchlog.exe
  • netarmor.exe
  • netd32.exe
  • netinfo.exe
  • netmon.exe
  • netscanpro.exe
  • netspyhunter-1.2.exe
  • netutils.exe
  • nisserv.exe
  • nisum.exe
  • nmain.exe
  • nod32.exe
  • normist.exe
  • norton_internet_secu_3.0_407.exe
  • notstart.exe
  • npf40_tw_98_nt_me_2k.exe
  • npfmessenger.exe
  • nprotect.exe
  • npscheck.exe
  • npssvc.exe
  • nsched32.exe
  • nssys32.exe
  • nstask32.exe
  • nsupdate.exe
  • nt.exe
  • ntrtscan.exe
  • ntvdm.exe
  • ntxconfig.exe
  • nui.exe
  • nupgrade.exe
  • nvarch16.exe
  • nvc95.exe
  • nvsvc32.exe
  • nwinst4.exe
  • nwservice.exe
  • nwtool16.exe
  • OAcat.exe
  • OAhlp.exe
  • OAReg.exe
  • oasrv.exe
  • oaui.exe
  • oaview.exe
  • OcHealthMon.exe
  • ODSW.exe
  • ollydbg.exe
  • OLT.exe
  • onsrvr.exe
  • optimize.exe
  • ostronet.exe
  • otfix.exe
  • outpost.exe
  • outpostinstall.exe
  • outpostproinstall.exe
  • padmin.exe
  • panixk.exe
  • patch.exe
  • pavcl.exe
  • PavFnSvr.exe
  • pavproxy.exe
  • pavprsrv.exe
  • pavsched.exe
  • pavsrv51.exe
  • pavw.exe
  • pccwin98.exe
  • pcfwallicon.exe
  • pcip10117_0.exe
  • pcscan.exe
  • pctsGui.exe
  • pdsetup.exe
  • periscope.exe
  • persfw.exe
  • perswf.exe
  • pf2.exe
  • pfwadmin.exe
  • pgmonitr.exe
  • pingscan.exe
  • platin.exe
  • pop3trap.exe
  • poproxy.exe
  • popscan.exe
  • portdetective.exe
  • portmonitor.exe
  • powerscan.exe
  • ppinupdt.exe
  • pptbc.exe
  • ppvstop.exe
  • prizesurfer.exe
  • prmt.exe
  • prmvr.exe
  • procdump.exe
  • processmonitor.exe
  • procexplorerv1.0.exe
  • programauditor.exe
  • proport.exe
  • protectx.exe
  • PSANCU.exe
  • PSANHost.exe
  • PSANToManager.exe
  • PsCtrls.exe
  • PsImSvc.exe
  • PskSvc.exe
  • pspf.exe
  • PSUNMain.exe
  • purge.exe
  • qconsole.exe
  • qserver.exe
  • rapapp.exe
  • rav7.exe
  • rav7win.exe
  • rav8win32eng.exe
  • ray.exe
  • rb32.exe
  • rcsync.exe
  • realmon.exe
  • reged.exe
  • regedt32.exe
  • rescue.exe
  • rescue32.exe
  • rrguard.exe
  • rscdwld.exe
  • rshell.exe
  • rtvscan.exe
  • rtvscn95.exe
  • rulaunch.exe
  • safeweb.exe
  • sahagent.exe
  • Save.exe
  • savenow.exe
  • sbserv.exe
  • sc.exe
  • scam32.exe
  • scan32.exe
  • scan95.exe
  • scanpm.exe
  • scrscan.exe
  • seccenter.exe
  • serv95.exe
  • setloadorder.exe
  • setup_flowprotector_us.exe
  • setupvameeval.exe
  • sgssfw32.exe
  • sh.exe
  • shellspyinstall.exe
  • shield.exe
  • shn.exe
  • showbehind.exe
  • signcheck.exe
  • smc.exe
  • sms.exe
  • smss32.exe
  • snetcfg.exe
  • soap.exe
  • sofi.exe
  • sperm.exe
  • spf.exe
  • sphinx.exe
  • spoler.exe
  • spoolcv.exe
  • spoolsv32.exe
  • spyxx.exe
  • srexe.exe
  • srng.exe
  • ss3edit.exe
  • ssg_4104.exe
  • ssgrate.exe
  • st2.exe
  • start.exe
  • stcloader.exe
  • supftrl.exe
  • support.exe
  • supporter5.exe
  • svc.exe
  • svchostc.exe
  • svchosts.exe
  • svshost.exe
  • sweep95.exe
  • sweepnet.sweepsrv.sys.swnetsup.exe
  • symlcsvc.exe
  • symproxysvc.exe
  • symtray.exe
  • system.exe
  • system32.exe
  • sysupd.exe
  • taskmgr.exe
  • taumon.exe
  • tbscan.exe
  • tc.exe
  • tca.exe
  • tcm.exe
  • tds-3.exe
  • tds2-98.exe
  • tds2-nt.exe
  • teekids.exe
  • tfak.exe
  • tfak5.exe
  • tgbob.exe
  • titanin.exe
  • titaninxp.exe
  • TPSrv.exe
  • trickler.exe
  • trjscan.exe
  • trjsetup.exe
  • trojantrap3.exe
  • tsadbot.exe
  • tvmd.exe
  • tvtmd.exe
  • uiscan.exe
  • undoboot.exe
  • updat.exe
  • upgrad.exe
  • upgrepl.exe
  • utpost.exe
  • vbcmserv.exe
  • vbcons.exe
  • vbust.exe
  • vbwin9x.exe
  • vbwinntw.exe
  • vcsetup.exe
  • vet32.exe
  • vet95.exe
  • vettray.exe
  • vfsetup.exe
  • vir-help.exe
  • virusmdpersonalfirewall.exe
  • VisthAux.exe
  • VisthLic.exe
  • VisthUpd.exe
  • vnlan300.exe
  • vnpc3000.exe
  • vpc32.exe
  • vpc42.exe
  • vpfw30s.exe
  • vptray.exe
  • vscan40.exe
  • vscenu6.02d30.exe
  • vsched.exe
  • vsecomr.exe
  • vshwin32.exe
  • vsisetup.exe
  • vsmain.exe
  • vsmon.exe
  • vsserv.exe
  • vsstat.exe
  • vswin9xe.exe
  • vswinntse.exe
  • vswinperse.exe
  • w32dsm89.exe
  • w9x.exe
  • watchdog.exe
  • webdav.exe
  • WebProxy.exe
  • webscanx.exe
  • webtrap.exe
  • wfindv32.exe
  • whoswatchingme.exe
  • wimmun32.exe
  • win-bugsfix.exe
  • win32.exe
  • win32us.exe
  • winactive.exe
  • window.exe
  • windows.exe
  • wininetd.exe
  • wininitx.exe
  • winlogin.exe
  • winmain.exe
  • winppr32.exe
  • winrecon.exe
  • winservn.exe
  • winss.exe
  • winssk32.exe
  • winssnotify.exe
  • WinSSUI.exe
  • winstart.exe
  • winstart001.exe
  • wintsk32.exe
  • winupdate.exe
  • wkufind.exe
  • wnad.exe
  • wnt.exe
  • wradmin.exe
  • wrctrl.exe
  • wsbgate.exe
  • wscfxas.exe
  • wscfxav.exe
  • wscfxfw.exe
  • wsctool.exe
  • wupdater.exe
  • wupdt.exe
  • wyvernworksfirewall.exe
  • xpf202en.exe
  • zapro.exe
  • zapsetup3001.exe
  • zatutor.exe
  • zonalm2601.exe
  • zonealarm.exe

It also does the same for the following files used by other rogue antivirus software:

  • AdwarePrj.exe
  • agent.exe
  • AlphaAV
  • AlphaAV.exe
  • Anti-Virus Professional.exe
  • AntispywarXP2009.exe
  • AntiVirus_Pro.exe
  • AntivirusPlus
  • AntivirusPlus.exe
  • AntivirusPro_2010.exe
  • AntivirusXP
  • AntivirusXP.exe
  • antivirusxppro2009.exe
  • av360.exe
  • AVCare.exe
  • brastk.exe
  • Cl.exe
  • csc.exe
  • dop.exe
  • frmwrk32.exe
  • gav.exe
  • gbn976rl.exe
  • homeav2010.exe
  • init32.exe
  • MalwareRemoval.exe
  • ozn695m5.exe
  • pav.exe
  • pc.exe
  • PC_Antispyware2010.exe
  • pctsAuxs.exe
  • pctsGui.exe
  • pctsSvc.exe
  • pctsTray.exe
  • pdfndr.exe
  • PerAvir.exe
  • personalguard
  • personalguard.exe
  • protector.exe
  • qh.exe
  • Quick Heal.exe
  • QuickHealCleaner.exe
  • rwg
  • rwg.exe
  • SafetyKeeper.exe
  • Save.exe
  • SaveArmor.exe
  • SaveDefense.exe
  • SaveKeep.exe
  • Secure Veteran.exe
  • secureveteran.exe
  • Security Center.exe
  • SecurityFighter.exe
  • securitysoldier.exe
  • smart.exe
  • smartprotector.exe
  • smrtdefp.exe
  • SoftSafeness.exe
  • spywarexpguard.exe
  • tapinstall.exe
  • TrustWarrior.exe
  • tsc.exe
  • W3asbas.exe
  • winav.exe
  • windll32.exe
  • windows Police Pro.exe
  • xp_antispyware.exe
  • xpdeluxe.exe
  • ~1.exe
  • ~2.exe

Modifies browser settings

Best Antivirus Software modifies the affected computer's browser settings by making the following changes to the registry:

In subkey: HKCU\Software\Microsoft\Internet Explorer
Sets value: "IIL"
With data: "0"
Sets value: "ltHI"
With Data: "0"
Sets value: "ltTST"
With Data: <five digit number> (for example, 20212)

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "UID"
With data: <four digit identifier> (for example, 8068)

It also creates registry entries similar to the following, which add additional information to the string that a web browser uses to identify itself when connecting to a website:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
Sets value: <12 digit number> (for example, 786905932603)
With data: ""

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
Sets value: "ver:2.0<four digit identifier>" (for example, ver:2.08068)
With data: ""

Analysis by David Wood


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following files:

    %common_appdata%\54fd6\BAS.ico
    %common_appdata%\54fd6\BA3b8_8068.exe
    %desktopdir%\Best Antivirus Software.lnk
    %programs%\Best Antivirus Software.lnk
    %appdata%\Microsoft\Internet Explorer\Quick Launch\Best Antivirus Software.lnk


  • The presence of the following registry modifications:

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Best Antivirus Software"
    With data: "<location of malware>" /s /d (for example, "%common_appdata%\54fd6\BA3b8_8068.exe" /s /d)

    In subkey: HKCU\Software\Microsoft\Internet Explorer
    Sets value: "PRS"
    With data: "hxxp://127.0.0.1:27777/?inj=%ORIGINAL%"

    In subkey: HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes
    Sets value: "URL"
    With data: "hxxp://findgala.com/?&uid=8068&q={searchTerms}"

    In subkey: HKCU\Software\Microsoft\Internet Explorer\Download
    Sets value: "CheckExeSignatures"
    With data: "no"
    Sets value: "RunInvalidSignatures"
    With data: "1"

    In subkey: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    Sets value: "<location of malware>"
    With Data: "<location of malware>:*:Enabled:<Product Name>"

    In subkey: HKLM\System\CurrentControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    Sets value: <location of malware>
    With Data: "<location of malware>:*:Enabled:<Product Name>"

    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    Modifies value: "ConsentPromptBehaviorAdmin"
    Modifies value: "ConsentPromptBehaviorUser"
    Modifies value: "EnableLUA"

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    Sets value: "DisallowRun"
    With data: "1"

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
    Sets value: "0"
    With data: "msseces.exe"
    Sets value: "1"
    With data: "MSASCui.exe"
    Sets value: "2"
    With data: "ekrn.exe"
    Sets value: "3"
    With data: "egui.exe"
    Sets value: "4"
    With data: "avgnt.exe"
    Sets value: "5"
    With data: "avcenter.exe"
    Sets value: "6"
    With data: "avscan.exe"
    Sets value: "7"
    With data: "avgfrw.exe"
    Sets value: "8"
    With data: "avgui.exe"
    Sets value: "9"
    With data: "avgtray.exe"
    Sets value: "10"
    With data: "avgscanx.exe"
    Sets value: "11"
    With data: "avgcfgex.exe"
    Sets value: "12"
    With data: "avgemc.exe"
    Sets value: "13"
    With data: "avgchsvx.exe"
    Sets value: "14"
    With data: "avgcmgr.exe"
    Sets value: "15"
    With data: "avgwdsvc.exe"

    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<file name of blocked program>
    Sets value: "Debugger"
    With data: "svchost.exe"

  • The display of fake scanner results; see the Technical Analysis for examples of these images.

Prevention

Take the following steps to help prevent infection on your computer:
  • Enable a firewall on your computer.
  • Get the latest computer updates for all your installed software.
  • Use up-to-date antivirus software.
  • Limit user privileges on the computer.
  • Use caution when opening attachments and accepting file transfers.
  • Use caution when clicking on links to webpages.
  • Avoid downloading pirated software.
  • Protect yourself against social engineering attacks.
  • Use strong passwords.
Enable a firewall on your computer

Use a third-party firewall product or turn on the Microsoft Windows Internet Connection Firewall.

Get the latest computer updates

Updates help protect your computer from viruses, worms, and other threats as they are discovered. It is important to install updates for all the software that is installed in your computer. These are usually available from vendor websites. Instructions on how to download the latest versions of some common software is available from the following:

You can use the Automatic Updates feature in Windows to automatically download future Microsoft security updates while your computer is on and connected to the Internet.

Use up-to-date antivirus software

Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software, such as Microsoft Security Essentials, that is updated with the latest signature files. For more information, see 'Consumer security software providers'.

Limit user privileges on the computer

Starting with Windows Vista and Windows 7, Microsoft introduced User Account Control (UAC), which, when enabled, allowed users to run with least user privileges. This scenario limits the possibility of attacks by malware and other threats that require administrative privileges to run.

You can configure UAC in your computer to meet your preferences:

Use caution when opening attachments and accepting file transfers

Exercise caution with email and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.

Use caution when clicking on links to webpages

Exercise caution with links to webpages that you receive from unknown sources, especially if the links are to a webpage that you are not familiar with, unsure of the destination of, or suspicious of. Malicious software may be installed in your computer simply by visiting a webpage with harmful content.

Avoid downloading pirated software

Threats may also be bundled with software and files that are available for download on various torrent sites. Downloading "cracked" or "pirated" software from these sites carries not only the risk of being infected with malware, but is also illegal. For more information, see 'The risks of obtaining and using pirated software'.

Protect yourself from social engineering attacks

While attackers may attempt to exploit vulnerabilities in hardware or software to compromise a computer, they also attempt to exploit vulnerabilities in human behavior to do the same. When an attacker attempts to take advantage of human behavior to persuade the affected user to perform an action of the attacker's choice, it is known as 'social engineering'. Essentially, social engineering is an attack against the human interface of the targeted computer.

Use strong passwords

Attackers may try to gain access to your Windows account by guessing your password. It is therefore important that you use a strong password – one that cannot be easily guessed by an attacker. A strong password is one that has at least eight characters, and combines letters, numbers, and symbols. For more information, see 'Create strong passwords'.


Alert level: Severe
This entry was first published on: Jul 20, 2012
This entry was updated on: Jul 27, 2012

This threat is also detected as:
No known aliases