Antivirus 2010Ā is a variant of Win32/FakeXPAĀ - a family of programs that claims to scan for malware and displays fake warnings of āmalicious programs and virusesā. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats. Some members of the Win32/FakeXPA family may also download additional malware and have been observed in the wild downloading variants of
Win32/Alureon.
Ā
Win32/FakeXPAĀ has been distributed with many different names. The name used by the malware, the user interface andĀ other details vary to reflect each variantās individual branding. The following details describe Win32/FakeXPA when it is distributed with the name Antivirus 2010.
Installation
The Antivirus 2010 installer downloads and installs several files from the download-av2010.info domain, including:
Ā
This is the fake scanner itself. In addition to the scanner window, it displays an icon in the system tray (and popup messages from that icon), popup alerts warning of "infections",Ā "database update" dialogsĀ and a window that imitates the Windows Security Center.
It may be saved as:
C:\Documents and Settings\All Users\Application Data\AV2010\AV2010.exe. See below for examples of the icon, pop-up alerts, update dialog and imitation Windows Security Center:
This component launches the fake scanner and can also download the latest version of any components if, for example, they are removed. It may be saved as:
C:\Documents and Settings\All Users\Application Data\SysLoader.exe. See below for an example ofĀ the fake scanning interface:
It adds an entry to the registry so it is launched each time Windows starts, for example:
Value: Gamma Loader
Data: "C:\Documents and Settings\All Users\Application Data\SysLoader.exe" /adjustment
Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Ā
The '/adjustment' parameter tells the launcher to be "silent", i.e. not show the installation dialog.
Ā
This component may be saved to:
C:\Documents and Settings\All Users\Application Data\AV2010\IEDefender.dll
Ā
It is installed as a BHO in order to display fake "drop-down" messages within Internet Explorer. Clicking on the message directs IE to a web page that allows the user to purchase "Antivirus 2010". Please see below for an example:
Ā
When registering IEDefender.dll as a BHO, the following registry changes may be made:
Ā
Key: HKCR\AppID\{3C40236D-990B-443C-90E8-B1C07BCD4A68}
Value: (Default)
Data: IEDefender
Ā
Key: HKCR\AppID\IEDefender.DLL
Value: AppID
Data: {3C40236D-990B-443C-90E8-B1C07BCD4A68}
Ā
Key: HKCR\IEDefender.IEDefenderBHO.1
Value: (Default)
Data: IEDefenderBHO Class
Ā
Key: HKCR\IEDefender.IEDefenderBHO.1\CLSID
Value: (Default)
Data: {FC8A493F-D236-4653-9A03-2BF4FD94F643}
Ā
Key: HKCR\IEDefender.IEDefenderBHO
Value: (Default)
Data: IEDefenderBHO Class
Ā
Key: HKCR\IEDefender.IEDefenderBHO\CLSID
Value: (Default)
Data: {FC8A493F-D236-4653-9A03-2BF4FD94F643}
Ā
Key: HKCR\IEDefender.IEDefenderBHO\CurVer
Value: (Default)
Data: HelloWorld.HelloWorldBHO.1
Ā
Key: HKCR\CLSID\{FC8A493F-D236-4653-9A03-2BF4FD94F643}
Value: (Default)
Data: IEDefenderBHO Class
Ā
Key: HKCR\CLSID\{FC8A493F-D236-4653-9A03-2BF4FD94F643}\ProgID
Value: (Default)
Data: IEDefender.IEDefenderBHO.1
Ā
Key: HKCR\CLSID\{FC8A493F-D236-4653-9A03-2BF4FD94F643}\VersionIndependentProgID
Value: (Default)
Data: IEDefender.IEDefenderBHO
Ā
Key: HKCR\CLSID\{FC8A493F-D236-4653-9A03-2BF4FD94F643}\InprocServer32
Value: (Default)
Data: C:\Documents and Settings\All Users\Application Data\AV2010\IEDefender.dll
Ā
Key: HKCR\CLSID\{FC8A493F-D236-4653-9A03-2BF4FD94F643}\InprocServer32
Value: ThreadingModel
Data: Apartment
Ā
Key: HKCR\CLSID\{FC8A493F-D236-4653-9A03-2BF4FD94F643}\TypeLib
Value: (Default)
Data: {705FD64B-2B7B-4856-9337-44CA1DA86849}
Ā
Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC8A493F-D236-4653-9A03-2BF4FD94F643}
Value: (Default)
Data: IEDefenderBHO
Ā
Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC8A493F-D236-4653-9A03-2BF4FD94F643}
Value: NoExplorer
Data: 1
Ā
Key: HKCR\TypeLib\{705FD64B-2B7B-4856-9337-44CA1DA86849}\1.0
Value: (Default)
Data: HelloWorld 1.0 Type Library
Ā
Key: HKCR\TypeLib\{705FD64B-2B7B-4856-9337-44CA1DA86849}\1.0\FLAGS
Value: (Default)
Data: 0
Ā
Key: HKCR\TypeLib\{705FD64B-2B7B-4856-9337-44CA1DA86849}\1.0\0\win32
Value: (Default)
Data: C:\Documents and Settings\All Users\Application Data\AV2010\IEDefender.dll
Ā
Key: HKCR\TypeLib\{705FD64B-2B7B-4856-9337-44CA1DA86849}\1.0\HELPDIR
Value: (Default)
Data: C:\Documents and Settings\All Users\Application Data\AV2010
Ā
Key: HKCR\Interface\{7BC7565C-5062-43CE-8797-DC2C271140A9}
Value: (Default)
Data: IHelloWorldBHO
Ā
Key: HKCR\Interface\{7BC7565C-5062-43CE-8797-DC2C271140A9}\ProxyStubClsid
Value: (Default)
Data: {00020424-0000-0000-C000-000000000046}
Ā
Key: HKCR\Interface\{7BC7565C-5062-43CE-8797-DC2C271140A9}\ProxyStubClsid32
Value: (Default)
Data: {00020424-0000-0000-C000-000000000046}
Ā
Key: HKCR\Interface\{7BC7565C-5062-43CE-8797-DC2C271140A9}\TypeLib
Value: (Default)
Data: {705FD64B-2B7B-4856-9337-44CA1DA86849}
Ā
Key: HKCR\Interface\{7BC7565C-5062-43CE-8797-DC2C271140A9}\TypeLib
Value: Version
Data: 1.0
Ā
This program displays a fake "blue screen" crash screen, followed by a fake restart screen. It may be saved to:
C:\Documents and Settings\All Users\Application Data\AV2010\svchost.exe.
The installer also createsĀ the followingĀ shortcut on the desktop:
C:\Documents and Settings\All Users\Desktop\AV2010.lnk
and a folder containing two items in the start menu:
C:\Documents and Settings\All Users\Start Menu\Programs\AV2010\AV2010.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\AV2010\Uninstall.lnk
Ā
Win32/FakeXPA may also make the following registry modifications when distributed as Antivirus 2010:
Key: HKCU\Software\AV2010\AV2010\{F275E931-AFEC-4f70-B0D4-CC2731B945E0}
Value: {9BB761E6-288E-4782-8538-9069141F34B6}
Data: 1
Ā
Key: HKCU\Software\AV2010\AV2010\{F275E931-AFEC-4f70-B0D4-CC2731B945E0}
Value: {BE8A5069-82B0-4214-98DB-715C2B6D3117}
Data: D8 07 0C 00 01 00 16 00 15 00 39 00 27 00 E7 03
Ā
Analysis by Hamish O'Dea
