Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Rogue Turning Retrovirus

Created: 18 Aug 2010 22:34:48 GMT • Updated: 23 Jan 2014 18:25:32 GMT • Translations available: 日本語
Anand A's picture
+3 3 Votes
Login to vote

It's fairly well known that different types of malware can "kill" security products in various ways. These kinds of malware are known as retroviruses. In order to step things up a notch, some risks are utilizing legitimate software uninstallers to trick users into uninstalling legitimate security products. A new variant of the Trojan.FakeAV threat has been using this technique to install a newly released clone of the CoreGuard Antivirus security risk, called "AnVi Antivirus". In this case, the Trojan is utilizing this social engineering technique to trick users into uninstalling many well-known security products, including solutions by Symantec, Microsoft, AVG, Spyware Doctor, and Zone Labs, before installing AnVi Antivirus.

Upon executing the malicious file, the Trojan shows a message box asking the user to uninstall the legitimate antivirus program, if it is present on the computer:


Message box displayed by the Trojan.

In this example, a warning is displayed that the Symantec  antivirus software is “uncertified” and will hamper the computer's performance. The user is left with no other option than clicking OK, which initiates the uninstall process. Even if the user clicks the "close" button, the uninstaller of the antivirus product still executes:


Uninstall screen that will appear if the latest definitions are not installed and Trojan.FakeAV executes.

Upon further investigation, we noticed that the code has references to multiple, well-known antivirus products. It searches for uninstaller information in the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" Windows registry subkey and launches the uninstaller for certain legitimate antivirus software. Below are a few examples:

  • "%PROGRAMFILES%\Common Files\Symantec Shared\SymSetup\{77FFBA7E-0973-4F39-BBDB-AC2F537578D2}_15_0_0_58\Setup.exe" /X
  • "%PROGRAMFILES%\Spyware Doctor\unins000.exe" /LOG
  • %PROGRAMFILES%\Zone Labs\ZoneAlarm\zauninst.exe
  • "%PROGRAMFILES%\AVG\AVG9\setup.exe" /UNINSTALL
  • "%PROGRAMFILES%\Microsoft Security Essentials\setup.exe" /x

As mentioned, it is common knowledge that some malware kills, tampers with, or removes antivirus software—malware that is known as a retrovirus. However, in this case it is using the legitimate antivirus uninstaller and forces the user to remove the antivirus software from the computer.

Moreover, it tries to download rogue antivirus software by connecting to malicious websites. In this case it tries to download AnVi Antivirus, which is a clone of the CoreGuardAntivirus2009 misleading application:


Installation process for AnVi Antivirus.
Note: The threat authors have used Softpedia's logo without Softpedia's permission or endorsment.

We're happy to report that Symantec users with the latest definitions are protected from these threats. The initial retrovirus is detected as Trojan.FakeAV and will stop this technique in its tracks. While you wouldn't see it in this case, the misleading application is detected as CoreGuardAntivirus2009 for good measure. Please ensure that your antivirus and other security software is up-to-date.