Win32/Antivirusxp is a rogue security program that displays misleading alerts regarding computer problems or falsely reports detections of malicious files on the affected machine in order to convince users to purchase rogue security software.

Special Note:
Reports of rogue Antivirus programs have been more prevalent as of late.  These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software.  Some of these programs, such as this threat and Program:Win32/FakeRednefed, may display product names or logos in an apparently unlawful attempt to impersonate Microsoft products.  These products may represent themselves as “Antivirus XP”, “AntivirusXP 2008”, “WinDefender 2008”, “XP Antivirus”, or similar.

 

Use Microsoft Windows Defender, the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742), or another up-to-date scanning and removal tool to detect and remove these threats and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.

System Changes

• At Windows start, or when executing the "Antivirus XP 2008" program shortcut, the following application window may be displayed:
  
  
  
• Presence of the following files and folders:
  %USERPROFILE%\Start Menu\Programs\Antivirus xp 2008\register antivirus xp 2008.lnk      
  %USERPROFILE%\Start Menu\Programs\Antivirus xp 2008\how to register antivirus xp 2008.lnk      
  %USERPROFILE%\Start Menu\Programs\Antivirus xp 2008\antivirus xp 2008.lnk      
  %USERPROFILE%\Start Menu\Programs\Antivirus xp 2008\uninstall.lnk

Win32/Antivirusxp is a rogue security program that displays misleading alerts regarding computer problems or falsely reports detections of malicious files on the affected machine in order to convince users to purchase rogue security software.

The program is installable from the developer's Web site or by social engineering from third party Web sites. During installation, Win32/Antivirusxp creates the following folders:

 

%APPDATA%\<random folder name>, for example %APPDATA%\rhcjdvj0e163

%APPDATA%\rhcjdvj0e163\quarantine\browserobjects

%APPDATA%\rhcjdvj0e163\quarantine\packages

%APPDATA%\rhcjdvj0e163\quarantine\autorun\hkcu\runonce

%APPDATA%\rhcjdvj0e163\quarantine\autorun\hklm\runonce

%APPDATA%\rhcjdvj0e163\quarantine\autorun\startmenuallusers

%APPDATA%\rhcjdvj0e163\quarantine\autorun\startmenucurrentuser

%ProgramFiles%\rhcjdvj0e163

%USERPROFILE%\Start Menu\Programs\Antivirus xp 2008

 

The installer may create the following files

%ProgramFiles%\rhcjdvj0e163\<random file name>.exe, for example "rhcjdvj0e163.exe"

%ProgramFiles%\rhcjdvj0e163\uninstall.exe

%USERPROFILE%\Start Menu\Programs\Antivirus xp 2008\register antivirus xp 2008.lnk      

%USERPROFILE%\Start Menu\Programs\Antivirus xp 2008\how to register antivirus xp 2008.lnk      

%USERPROFILE%\Start Menu\Programs\Antivirus xp 2008\antivirus xp 2008.lnk      

%USERPROFILE%\Start Menu\Programs\Antivirus xp 2008\uninstall.lnk

 

The main executable for Win32/Antivirusxp drops another file with a random name which displays a false alert that the system is infected. The alert also promote the rogue scanner to remove the fictional threats.

 

The registry is modified with the addition of numerous values and data. The subkeys or data values listed below as "rhcjdvj0e163" are randomly generated and may differ from installation to installation.

 

Adds value: "RegistrationUrl"

With data: "<rogue scanner domain.com/buy>"

To subkey: HKLM\Software\rhcjdvj0e163

 

Adds value: "SMrhcjdvj0e163"

With data: "%ProgramFiles%\rhcjdvj0e163\rhcjdvj0e163.exe"

To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

Adds value: "DisplayName"

With data: "antivirxp08"

To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\rhcjdvj0e163

 

Adds value: "LastTimeStamp"

With data: "÷"

To subkey: HKLM\Software\rhcjdvj0e163

 

Adds value: "AntivirXP08"

With data: "antivirxp08"

To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform

 

After installation, the following changes may be noticed or observed:

 

 

Win32/Antivirusxp may modify registry data regarding display properties, as in the following examples:

 

Modifies value: NoDispScrSavPage

With data: 1

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop

 

This will hide the "Screen Saver" tab from the Display applet in Control Panel, or when viewing desktop properties.

 

Modifies value: NoDispBackgroundPage

With data: 1

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System

 

This will remove the "Background" tab from the Display applet in Control Panel, or when viewing desktop properties. These values may appear unmodified due to group policy configurations within a business or public usage environment.

 

Analysis by Subratam Biswas

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:

 

• Microsoft Security Essentials
• Windows Defender
• Microsoft Safety Scanner

 

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.