Antivirus 2010 is a variant of Win32/FakeXPA - a family of programs that claims to scan for malware and displays fake warnings of “malicious programs and viruses”. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats. Some members of the Win32/FakeXPA family may also download additional malware and have been observed in the wild downloading variants of
Win32/Alureon.
Win32/FakeXPA has been distributed with many different names. The name used by the malware, the user interface and other details vary to reflect each variant’s individual branding. The following details describe Win32/FakeXPA when it is distributed with the name Antivirus 2010.
Installation
The Antivirus 2010 installer downloads and installs several files from the download-av2010.info domain, including:
This is the fake scanner itself. In addition to the scanner window, it displays an icon in the system tray (and popup messages from that icon), popup alerts warning of "infections", "database update" dialogs and a window that imitates the Windows Security Center.
It may be saved as:
C:\Documents and Settings\All Users\Application Data\AV2010\AV2010.exe. See below for examples of the icon, pop-up alerts, update dialog and imitation Windows Security Center:
This component launches the fake scanner and can also download the latest version of any components if, for example, they are removed. It may be saved as:
C:\Documents and Settings\All Users\Application Data\SysLoader.exe. See below for an example of the fake scanning interface:
It adds an entry to the registry so it is launched each time Windows starts, for example:
Value: Gamma Loader
Data: "C:\Documents and Settings\All Users\Application Data\SysLoader.exe" /adjustment
Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
The '/adjustment' parameter tells the launcher to be "silent", i.e. not show the installation dialog.
This component may be saved to:
C:\Documents and Settings\All Users\Application Data\AV2010\IEDefender.dll
It is installed as a BHO in order to display fake "drop-down" messages within Internet Explorer. Clicking on the message directs IE to a web page that allows the user to purchase "Antivirus 2010". Please see below for an example:
When registering IEDefender.dll as a BHO, the following registry changes may be made:
Key: HKCR\AppID\{3C40236D-990B-443C-90E8-B1C07BCD4A68}
Value: (Default)
Data: IEDefender
Key: HKCR\AppID\IEDefender.DLL
Value: AppID
Data: {3C40236D-990B-443C-90E8-B1C07BCD4A68}
Key: HKCR\IEDefender.IEDefenderBHO.1
Value: (Default)
Data: IEDefenderBHO Class
Key: HKCR\IEDefender.IEDefenderBHO.1\CLSID
Value: (Default)
Data: {FC8A493F-D236-4653-9A03-2BF4FD94F643}
Key: HKCR\IEDefender.IEDefenderBHO
Value: (Default)
Data: IEDefenderBHO Class
Key: HKCR\IEDefender.IEDefenderBHO\CLSID
Value: (Default)
Data: {FC8A493F-D236-4653-9A03-2BF4FD94F643}
Key: HKCR\IEDefender.IEDefenderBHO\CurVer
Value: (Default)
Data: HelloWorld.HelloWorldBHO.1
Key: HKCR\CLSID\{FC8A493F-D236-4653-9A03-2BF4FD94F643}
Value: (Default)
Data: IEDefenderBHO Class
Key: HKCR\CLSID\{FC8A493F-D236-4653-9A03-2BF4FD94F643}\ProgID
Value: (Default)
Data: IEDefender.IEDefenderBHO.1
Key: HKCR\CLSID\{FC8A493F-D236-4653-9A03-2BF4FD94F643}\VersionIndependentProgID
Value: (Default)
Data: IEDefender.IEDefenderBHO
Key: HKCR\CLSID\{FC8A493F-D236-4653-9A03-2BF4FD94F643}\InprocServer32
Value: (Default)
Data: C:\Documents and Settings\All Users\Application Data\AV2010\IEDefender.dll
Key: HKCR\CLSID\{FC8A493F-D236-4653-9A03-2BF4FD94F643}\InprocServer32
Value: ThreadingModel
Data: Apartment
Key: HKCR\CLSID\{FC8A493F-D236-4653-9A03-2BF4FD94F643}\TypeLib
Value: (Default)
Data: {705FD64B-2B7B-4856-9337-44CA1DA86849}
Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC8A493F-D236-4653-9A03-2BF4FD94F643}
Value: (Default)
Data: IEDefenderBHO
Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC8A493F-D236-4653-9A03-2BF4FD94F643}
Value: NoExplorer
Data: 1
Key: HKCR\TypeLib\{705FD64B-2B7B-4856-9337-44CA1DA86849}\1.0
Value: (Default)
Data: HelloWorld 1.0 Type Library
Key: HKCR\TypeLib\{705FD64B-2B7B-4856-9337-44CA1DA86849}\1.0\FLAGS
Value: (Default)
Data: 0
Key: HKCR\TypeLib\{705FD64B-2B7B-4856-9337-44CA1DA86849}\1.0\0\win32
Value: (Default)
Data: C:\Documents and Settings\All Users\Application Data\AV2010\IEDefender.dll
Key: HKCR\TypeLib\{705FD64B-2B7B-4856-9337-44CA1DA86849}\1.0\HELPDIR
Value: (Default)
Data: C:\Documents and Settings\All Users\Application Data\AV2010
Key: HKCR\Interface\{7BC7565C-5062-43CE-8797-DC2C271140A9}
Value: (Default)
Data: IHelloWorldBHO
Key: HKCR\Interface\{7BC7565C-5062-43CE-8797-DC2C271140A9}\ProxyStubClsid
Value: (Default)
Data: {00020424-0000-0000-C000-000000000046}
Key: HKCR\Interface\{7BC7565C-5062-43CE-8797-DC2C271140A9}\ProxyStubClsid32
Value: (Default)
Data: {00020424-0000-0000-C000-000000000046}
Key: HKCR\Interface\{7BC7565C-5062-43CE-8797-DC2C271140A9}\TypeLib
Value: (Default)
Data: {705FD64B-2B7B-4856-9337-44CA1DA86849}
Key: HKCR\Interface\{7BC7565C-5062-43CE-8797-DC2C271140A9}\TypeLib
Value: Version
Data: 1.0
This program displays a fake "blue screen" crash screen, followed by a fake restart screen. It may be saved to:
C:\Documents and Settings\All Users\Application Data\AV2010\svchost.exe.
The installer also creates the following shortcut on the desktop:
C:\Documents and Settings\All Users\Desktop\AV2010.lnk
and a folder containing two items in the start menu:
C:\Documents and Settings\All Users\Start Menu\Programs\AV2010\AV2010.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\AV2010\Uninstall.lnk
Win32/FakeXPA may also make the following registry modifications when distributed as Antivirus 2010:
Key: HKCU\Software\AV2010\AV2010\{F275E931-AFEC-4f70-B0D4-CC2731B945E0}
Value: {9BB761E6-288E-4782-8538-9069141F34B6}
Data: 1
Key: HKCU\Software\AV2010\AV2010\{F275E931-AFEC-4f70-B0D4-CC2731B945E0}
Value: {BE8A5069-82B0-4214-98DB-715C2B6D3117}
Data: D8 07 0C 00 01 00 16 00 15 00 39 00 27 00 E7 03
Analysis by Hamish O'Dea
