1

Rogue Warning: Antivirus IS

By Mylene Villacorte – PCTools Malware Research Team

Pursuant to the classic rouge security application modus operandi, Antivirus IS takes advantage of computer users’ fear and paranoia of getting infected by a worm or Trojan in order to persuade them into buying a useless product or service. Considering the risks and hassles resulting from identity theft, data loss, and the like, this particular form of extortion has proven highly effective.

Infection Method

Antivirus IS arrives as a file downloaded from the internet or dropped by other Trojan files. Once running on the machine, it initiates a fake system scan and will display a fake list of detected threats:

After this attempt to shock with non-existent infections, it proceeds to entice the user to purchase the product in order to clean their system:

Once the user clicks on the purchase button, it redirects to a website which will trick the user into entering credit card details:

If the user delays buying Antivirus IS, the program continuously displays fake alert messages to convince the user that their machine is really infected and that no other antivirus products will be able to protect them from these recurring alerts:

While data security is of great importance and it is wise not to address threat alerts received while browsing, we also have to be wary of people who would take advantage of our legitimate concerns and scam us out of our hard earned money. Remember, always follow best security practices when using the internet to avoid these kinds of traps. And if all else fails, do not put your trust in suspicious or alarmist products. Instead, go for an antivirus product or service with a good reputation, one that doesn’t have to rely on scare mongering to market their products.

ThreatExpert report

Antivirus IS manual removal

Antivirus IS drops the following file:

“%Temp%{random folder name}{random file name.exe}”

Note: %Temp% is usually refers to C:Documents and Settings[UserName]Local SettingsTemp (Windows NT/2000/XP).

It also creates the following registry keys/entries:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

{random registry name} “%Temp%{random folder name}{random file name.exe}”

HKEY_CURRENT_USERSoftware{random alphabets}

HKEY_CURRENT_USERSoftwareMicrosoftWindows ScriptSettings

JITDebug = “1″

HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerDownload

RunInvalidSignatures = “1″

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesAssociations

LowRiskFileTypes = “.exe”

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesAttachments

SaveZoneInformation = “1″

To remove the threat, delete the above mentioned registry key values and files.

WARNING: Editing the registry incorrectly can cause serious problems that may require you to reinstall Windows. PC Tools cannot guarantee that problems resulting from the incorrect editing of the registry can be solved. Edit the registry at your own risk or refer to our malware removal forum for guidance.

This entry was posted in Malware Alerts and tagged , , , . Bookmark the permalink.

One Response to Rogue Warning: Antivirus IS

  1. James says:

    Thanks! This really helped me out :)

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>