Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Antivirus2010 – Multiple “Avatars” in a Single .exe

Created: 07 Apr 2010 08:25:58 GMT • Updated: 23 Jan 2014 18:28:27 GMT
Sujit Magar's picture
0 0 Votes
Login to vote

Antivirus XP 2010, a clone of the Antivirus2010 family, is amongst today’s most prevalent rogue security software. Fake security software scammers continue to release new clones in frequent attempts to evade antivirus scanner detections. New clones share the same user interface and look and feel of the original application, but the application name changes.

Analysis of Antivirus2010 reveals that it is using a single binary file for multiple clones. Every time such a binary is executed, a different name is displayed as an application title. For example, when it is executed for the first time it displays itself as XP Antispyware 2010; however, when executed again it may display itself as XP Guardian 2010.

The following is a list of the names that it may use in any particular instance:

•    XP Antispyware 2010
•    Antivirus XP 2010
•    XP Guardian 2010
•    XP Guardian
•    XP Defender 2010
•    XP Antivirus
•    XP Antivirus 2010
•    XP Antivirus Pro
•    XP Antivirus Pro 2010
•    XP Internet Security
•    XP Internet Security 2010

Here is a screen shot of the binary executed, showing the application name as Antivirus XP 2010:
 

When same executable is launched multiple times it shows different application names—below are some screen shots.

All of the above clones are widely discussed on various security blogs and security product websites; however, they are mentioned as a separate clone of AntiVirusPro2010 instead of a single, stand-alone executable. The following is a snapshot of the memory dump of one such executable. Notice the list of clone names (%1 is replaced with “XP”)

There have been some cases in which the rogue software family has substituted “PC” in place of “XP” to allow for the following combinations of names:

•    PC Antispyware 2010
•    Antivirus PC 2010
•    PC Guardian 2010
•    PC Guardian
•    PC Defender 2010
•    PC Antivirus
•    PC Antivirus 2010
•    PC Antivirus Pro
•    PC Antivirus Pro 2010
•    PC Internet Security
•    PC Internet Security 2010

Symantec customers are protected from this threat, which is detected as “AntiVirus2010” by Symantec products. As always, Symantec recommends that users only install software that is supplied from legitimate vendors. Also, always keep your legitimate antivirus product up to date and ensure that you remain wary of intrusive and potentially malicious applications.