Antivirus Protection 2012 is a variant of Win32/FakeRean, a family of rogue malware - fake scanners - that claim to scan your computer for malware, and display fake warnings of malicious files. They then inform you that you need to pay money to register the software in order to remove these non-existent threats. It may also disable the services on your computer and modify your security settings.
Installation
Antivirus Protection 2012's installer drops a number of files to a folder, such as %AppData%\Antivirus Protection 2012 or %AppData%\Antivirus Protection 2012 Tm.
It may also create the following files:
-
IcoActivate.ico
(icon file)
-
IcoHelp.ico
(icon file)
-
IcoUninstall.ico
(icon file)
-
AntivirusProtection2012.exe
(fake scanner)
-
securitymanager.exe
(monitors the installed file; note: not all variants create this file)
-
securityhelper.exe
(copy of the installer)
It adds a number of registry entries to ensure that its various components are run at each Windows start:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Antivirus Protection 2012"
With data: "%AppData%\Antivirus Protection 2012\AntivirusProtection2012.exe" /STARTUP
Sets value: "Antivirus Protection 2012 SM"
With data: "%AppData%\Antivirus Protection 2012\securitymanager.exe"
Sets value: "Antivirus Protection 2012 SH"
With data: "%AppData%\Antivirus Protection 2012\securityhelper.exe"
or
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Antivirus Protection 2012 Tm"
With data: "%AppData%\Antivirus Protection 2012 Tm\AntivirusProtection2012.exe" /STARTUP
Sets value: "Antivirus Protection 2012 SM"
With data: "%AppData%\Antivirus Protection 2012 Tm\securitymanager.exe"
Sets value: "Antivirus Protection 2012 SH"
With data: "%AppData%\Antivirus Protection 2012 Tm\securityhelper.exe"
It adds a number of items under the Start Menu by creating the following files:
-
%programs%\Antivirus Protection 2012.lnk
-
%programs%\Antivirus Protection 2012\Antivirus Protection 2012.lnk
-
%programs%\Antivirus Protection 2012\Activate Antivirus Protection 2012.lnk
-
%programs%\Antivirus Protection 2012\How to Activate Antivirus Protection 2012.lnk
-
%programs%\Antivirus Protection 2012\Help Antivirus Protection 2012.lnk
or
-
%programs%\Antivirus Protection 2012 Tm.lnk
-
%programs%\Antivirus Protection 2012 Tm\Antivirus Protection 2012 Tm.lnk
-
%programs%\Antivirus Protection 2012 Tm\Activate Antivirus Protection 2012 Tm.lnk
-
%programs%\Antivirus Protection 2012 Tm\How to Activate Antivirus Protection 2012 Tm.lnk
-
%programs%\Antivirus Protection 2012 Tm\Help Antivirus Protection 2012 Tm.lnk
It adds a desktop shortcut by creating one of the following files:
-
%DesktopDirectory%\Antivirus Protection 2012.lnk
-
%DesktopDirectory%\Antivirus Protection 2012 Tm.lnk
These icons may resemble the following:
Â
It adds a Quick Launch icon by creating one of the following files:
-
%AppData%\Microsoft\Internet Explorer\Quick Launch\Antivirus Protection 2012.lnk
-
%AppData%\Microsoft\Internet Explorer\Quick Launch\Antivirus Protection 2012 Tm.lnk
It adds itself to the Add/Remove programs dialog by creating the following registry entries:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antivirus Protection 2012
Sets value: "DisplayName"
With data: "Antivirus Protection 2012"
Sets value: "UninstallString"
With data: "%AppData%\Antivirus Protection 2012\securityhelper.exe" /UNINSTALL
Sets value: "DisplayIcon"
With data: "%AppData%\Antivirus Protection 2012\securityhelper.exe",1
or
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antivirus Protection 2012 Tm
Sets value: "DisplayName"
With data: "Antivirus Protection 2012 Tm"
Sets value: "UninstallString"
With data: "%AppData%\Antivirus Protection 2012 Tm\securityhelper.exe" /UNINSTALL
Sets value: "DisplayIcon"
With data: "%AppData%\Antivirus Protection 2012 Tm\securityhelper.exe",1
Payload
Displays a fake scanner
The malware displays a fake scanner, and will periodically show a number of dialog boxes, system tray balloons, and other pop-ups which claim that your computer is infected. Some examples of these fake scanners are displayed below. The malware suggests that if you want to remove these threats, you must pay to register in order to do so.
Disables services
The malware may stop and disable the following services in an attempt to lower the security on your computer:
-
MpsSvc
(Windows Firewall)
-
SharedAccess
(Windows Firewall)
-
WinDefend
(Windows Defender)
-
wscsvc
(Security Center)
-
wuauserv
(Windows Update)
Modifies security settings
The malware attempts to remove the Zone Identifier event stream from its installer file. The Zone Identifier is used to indicate that the file was downloaded from the Internet.
It may attempt to remove the following registry entry to prevent Windows Defender from running each time you start your computer:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Removes value: "Windows Defender"
Additional information
The malware may create a number of files in your %temp% directory which its fake scanner may later report as being infected. It may lock access to these files so that you can't open, move or delete them while the malware is running.
It may store configuration data under the registry key HKCU\Software\Antivirus Protection 2012Â or HKCU\Software\Antivirus Protection 2012 Tm.
It may also store an identifier under the following registry entry:
In subkey: HKCU\Software\Microsoft\Windows\Shell
Sets value: "BagNumber"
With data: <three digit identifier> (for example, 472)
The malware may send installation status and identifier information to servers such as the following:
-
hard-news.in
-
web-hddtest.in
-
web-presentation.in
It may connect to servers such as the following for registration and payment for the fake software.
-
antivirusprotection2012live.com
-
antivirusprotection2012net.com
Analysis by David Wood