1

Threat Report: Antivirus Soft

      Another variant of Rogue Anti Spyware is creating nuisance to most of internet users. Similar to its predecessors, it comes as perfectly legit looking antivirus software enticing the user to download and purchase it. Further study of its history reveals to us that this Fake software is a clone or a family of previously popular Rogue AVs called Antivirus Live and Antivirus System Pro.

      It displays a fake antivirus scan result enticing the user that his/her computer is infected with so many malicious programs that may lead to the unaware user to download and purchase it.

      Antivirus Soft will also make annoying popups interrupting normal use of computer and may also affects the performance of the computer. While running in the background, it also prevent other normal application to be executed.

      It also makes use of randomized filename and registry entries to make its cleanup difficult.

SYSTEM MODIFICATIONS:

      File system modifications:
      You may also want to check this name on your process list and terminate them.

  • %AppData%[random name directory][random chars]sysguard.exe
  • %AppData%[random name directory][random chars]sftav.exe
%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:Documents and Settings[UserName]Application Data.

      System Registry Modifications:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
    • [random name] = “%AppData%[random name][random character]sftav.exe”
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
    • [random name] = “%AppData%[random name][random character]sysguard.exe”
  • HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun
    • [random name] = “%AppData%[random name][random character]sftav.exe”
  • HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun
    • [random name] = “%AppData%[random name][random character]sysguard.exe”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesAssociations
    • LowRiskFileTypes = “.exe”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindows ScriptSettings
    • JITDebug = 0×00000001
  • HKEY_CURRENT_USERSoftwareavsoft
  • HKEY_CURRENT_USERSoftwareavsoft
%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:Documents and Settings[UserName]Application Data.

Sample details: ThreatExpert Report

Manual Removal: See “System Modifications” (Locate and delete the following)

Some Reference:

This entry was posted in Malware Alerts. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>