Follow:

 

Trojan:Win32/Antivirusxp


Win32/Antivirusxp is a rogue security program that displays misleading alerts regarding computer problems or falsely reports detections of malicious files on the affected machine in order to convince users to purchase rogue security software.
Special Note:
Reports of rogue Antivirus programs have been more prevalent as of late.  These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software.  Some of these programs, such as this threat and Program:Win32/FakeRednefed, may display product names or logos in an apparently unlawful attempt to impersonate Microsoft products.  These products may represent themselves as “Antivirus XP”, “AntivirusXP 2008”, “WinDefender 2008”, “XP Antivirus”, or similar.
 
Use Microsoft Windows Defender, the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742), or another up-to-date scanning and removal tool to detect and remove these threats and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Win32/Antivirusxp is a rogue security program that displays misleading alerts regarding computer problems or falsely reports detections of malicious files on the affected machine in order to convince users to purchase rogue security software.
Installation
The program is installable from the developer's Web site or by social engineering from third party Web sites. During installation, Win32/Antivirusxp creates the following folders:
 
%APPDATA%\<random folder name>, for example %APPDATA%\rhcjdvj0e163
%APPDATA%\rhcjdvj0e163\quarantine\browserobjects
%APPDATA%\rhcjdvj0e163\quarantine\packages
%APPDATA%\rhcjdvj0e163\quarantine\autorun\hkcu\runonce
%APPDATA%\rhcjdvj0e163\quarantine\autorun\hklm\runonce
%APPDATA%\rhcjdvj0e163\quarantine\autorun\startmenuallusers
%APPDATA%\rhcjdvj0e163\quarantine\autorun\startmenucurrentuser
%ProgramFiles%\rhcjdvj0e163
%USERPROFILE%\Start Menu\Programs\Antivirus xp 2008
 
The installer may create the following files
%ProgramFiles%\rhcjdvj0e163\<random file name>.exe, for example "rhcjdvj0e163.exe"
%ProgramFiles%\rhcjdvj0e163\uninstall.exe
%USERPROFILE%\Start Menu\Programs\Antivirus xp 2008\register antivirus xp 2008.lnk      
%USERPROFILE%\Start Menu\Programs\Antivirus xp 2008\how to register antivirus xp 2008.lnk      
%USERPROFILE%\Start Menu\Programs\Antivirus xp 2008\antivirus xp 2008.lnk      
%USERPROFILE%\Start Menu\Programs\Antivirus xp 2008\uninstall.lnk
 
The main executable for Win32/Antivirusxp drops another file with a random name which displays a false alert that the system is infected. The alert also promote the rogue scanner to remove the fictional threats.
 
The registry is modified with the addition of numerous values and data. The subkeys or data values listed below as "rhcjdvj0e163" are randomly generated and may differ from installation to installation.
 
Adds value: "RegistrationUrl"
With data: "<rogue scanner domain.com/buy>"
To subkey: HKLM\Software\rhcjdvj0e163
 
Adds value: "SMrhcjdvj0e163"
With data: "%ProgramFiles%\rhcjdvj0e163\rhcjdvj0e163.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
 
Adds value: "DisplayName"
With data: "antivirxp08"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\rhcjdvj0e163
 
Adds value: "LastTimeStamp"
With data: "÷"
To subkey: HKLM\Software\rhcjdvj0e163
 
Adds value: "AntivirXP08"
With data: "antivirxp08"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
 
After installation, the following changes may be noticed or observed:
 
  • System tray icon:


  • An application shortcut named Antivirus XP 2008 is created on the desktop:


  • Random and frequent false alerts of threats from the System tray as pop-up balloons:



  • Displays the following messages when the program is run or the alert clicked:



  • If user proceeds with removal, user is presented with “registration” window :



  • Win32/Antivirusxp may display an imitation "Security Center":

 
Additional Information
Win32/Antivirusxp may modify registry data regarding display properties, as in the following examples:
 
Modifies value: NoDispScrSavPage
With data: 1
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
 
This will hide the "Screen Saver" tab from the Display applet in Control Panel, or when viewing desktop properties.
 
Modifies value: NoDispBackgroundPage
With data: 1
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
 
This will remove the "Background" tab from the Display applet in Control Panel, or when viewing desktop properties. These values may appear unmodified due to group policy configurations within a business or public usage environment.
 
Analysis by Subratam Biswas

Symptoms

System Changes
The following system changes may indicate the presence of Win32/Antivirusxp:
  • At Windows start, or when executing the "Antivirus XP 2008" program shortcut, the following application window may be displayed:


  • Presence of the following files and folders:
    %USERPROFILE%\Start Menu\Programs\Antivirus xp 2008\register antivirus xp 2008.lnk      
    %USERPROFILE%\Start Menu\Programs\Antivirus xp 2008\how to register antivirus xp 2008.lnk      
    %USERPROFILE%\Start Menu\Programs\Antivirus xp 2008\antivirus xp 2008.lnk      
    %USERPROFILE%\Start Menu\Programs\Antivirus xp 2008\uninstall.lnk

Prevention


Alert level: High
First detected by definition: 1.45.287.0
Latest detected by definition: 1.203.1472.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Aug 09, 2008
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Antivirus XP 2008 (other)
  • Win32/Adware.WinFixer (ESET)
  • Generic FakeAlert.a (McAfee)
  • W32/WinFixer.BTB (Norman)
  • Troj/FakeAV-AB (Sophos)
  • AntiVirus2008 (Symantec)
  • Program:Win32/Antivirusxp (other)