1

Rogue Warning: Antimalware Doctor

Author: Alan  Lee – PC Tools malware research team

Antimalware Doctor is a rogue security application that attempts to entice victims to pay for malware removal by falsely detecting malware on infected computers.

Antimalware Doctor belongs to a family of rogue security application which includes the following:

CoreGuardAntivirus2009
XP Security Tool
Antispyware XP
XP Internet Security

Infection method:

Antimalware Doctor may be downloaded by Trojans automatically or by users who accidentally clicked on online download links. The threat will attempt to connect to an external server to display payment information to trick users into registering their credit card details.

Threatexpert Report:

http://www.threatexpert.com/report.aspx?md5=00C282ED586BDACFD46021090708C279

Manual removal:

The malware may create the following files -

C:WindowsSystem32local.ini

C:WindowsSystem32enemies-names.txt

C:WindowsSystem32Antimalware Doctor.exe

The malware may create the following registry keys -

HKEY_CURRENT_USERSoftwareAntimalware Doctor IncAntimalware Doctor
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionUninstallAntimalware Doctor
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “Antimalware Doctor.exe”

Antimalware Doctor update

Since the last post Rogue Warning: Antimalware Doctor,

http://blog.pctools.com/freeav/2010/news/rogue-warning-antimalware-doctor/

there are some new discoveries in the samples that came our way.

ThreatExpert report:-

http://www.threatexpert.com/report.aspx?md5=299e2c761ef22b6871cf4e3311ec12c1

Antimalware Doctor installer has added a screen that attempts to trick unsuspecting victims that installing Antimalware Doctor is actually a System Security Pack Upgrade.

The malware has also changed its usual installation locations to these:-

  • C:Documents and Settings[UserName]Application Data.743ADCD1FFF70805DED4CDD860DD6317enemies-names.txt
  • C:Documents and Settings[UserName]Application Data???????????????????????????????????libcore707en0setup.exe [note ???????? refers to alphanumeric characters]
  • C:Documents and Settings[UserName]Application Data743ADCD1FFF70805DED4CDD860DD6317local.ini
  • C:Documents and Settings[UserName]DesktopAntimalware Doctor.lnk
  • C:Documents and Settings[UserName]Start MenuAntimalware Doctor.lnk
  • C:Documents and Settings[UserName]Start MenuProgramsAntimalware DoctorAntimalware Doctor.lnk
  • C:Documents and Settings[UserName]Start MenuProgramsStartupAntimalware Doctor.lnk
  • C:Documents and Settings[UserName]Start MenuProgramsAntimalware DoctorUninstall.lnk

Manually remove Antimalware Doctor:-

To manually remove Antimalware Doctor, please delete the files mentioned above if found.

This entry was posted in Malware Alerts and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>