Win32/InternetAntivirus can have the following brands:
Internet Antivirus Pro
Win32/InternetAntivirus is usually installed by a downloader with the file name install.exe. When run, this file downloads the following two files to your PC:
The installer then runs both of these files. It runs InternetAntivirusPro.exe with command line options to enable it to be silently installed.
Win32/InternetAntivirus might create the following files:
It creates this registry entry to run the fake scanner each time Windows starts:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Internet Antivirus Pro"
With data: "%ProgramFiles%\Internet Antivirus Pro\IAPro.exe"
Displays misleading messages and fake scanning results
These are examples of the fake interface, alerts, and scanning results that this threat might display as Internet Antivirus Pro:
Installs additional malware
Win32/InternetAntivirus copies a component to a variable location using a variable file name, for example:
This component might be detected as TrojanDownloader:Win32/FakeIA.A. This component creates another registry entry so it runs every time Windows start:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "<file name of malware without extension>" (for example, "byoroutand")
With data: "<full path of malware>" (for example, "<system folder>\Microsoft\Protect\S-1-5-18\byoroutand.exe")
This component injects code into Internet Explorer and periodically displays this page instead of the actual web page you're trying to view:
The click here link directs the browser to a purchase page for Win32/InternetAntivirus:
Displays fake warnings and mimics the Windows Security Center
Win32/InternetAntivirus shows a fake copy of the Windows Security Center, along with an icon in the system tray that shows pop-up warnings. Clicking the recommendations launches an Internet Explorer window to show the purchase web page previously mentioned.
Win32/InternetAntivirus might also create an uninstall entry in the registry:
Analysis by Hamish O'Dea