1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP AntiVirusGold Activity

HTTP AntiVirusGold Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects activities of the misleading application AntiVirusGold.

Additional Information

When AntiVirusGold is installed, it performs the following actions:

1. Creates the following files:

* %UserProfile%\Desktop\AntivirusGold.lnk
* %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusGold 2.0.lnk
* %UserProfile%\Local Settings\Temp\AGLanguage.ini
* %UserProfile%\Start Menu\Programs\AntivirusGold\AntivirusGold 2.0 Website.lnk
* %UserProfile%\Start Menu\Programs\AntivirusGold\AntivirusGold 2.0.lnk
* %UserProfile%\Start Menu\Programs\AntivirusGold\Uninstall AntivirusGold 2.0.lnk
* %UserProfile%\Start Menu\AntivirusGold 2.0.lnk
* %ProgramFiles%\AntivirusGold\AntivirusGold.exe
* %ProgramFiles%\AntivirusGold\AntivirusGold.url
* %ProgramFiles%\AntivirusGold\db.dat
* %ProgramFiles%\AntivirusGold\DbgHelp.Dll
* %ProgramFiles%\AntivirusGold\generalConfig.xml
* %ProgramFiles%\AntivirusGold\Lang\English.ini
* %ProgramFiles%\AntivirusGold\Logs\scan_log_02212006-190712.html
* %ProgramFiles%\AntivirusGold\monitorConfig.xml
* %ProgramFiles%\AntivirusGold\msvcp71.dll
* %ProgramFiles%\AntivirusGold\msvcr71.dll
* %ProgramFiles%\AntivirusGold\scannerConfig.xml
* %ProgramFiles%\AntivirusGold\uninst.exe
* %ProgramFiles%\AntivirusGold\usageStats.xml

Note:
* %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
* %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

2. Creates the following registry subkeys:

HKEY_CLASSES_ROOT\AppID\Cerberus.EXE
HKEY_CLASSES_ROOT\AppID\{70F17C8C-1744-41B6-9D07-575DB448DCC5}
HKEY_CLASSES_ROOT\CLSID\{020B1227-417D-4682-9AC3-61F43CB5B6B1}
HKEY_CLASSES_ROOT\CLSID\{125494B2-ACAD-414c-98B9-452F3EF7703A}
HKEY_CLASSES_ROOT\CLSID\{20A3D913-30EF-4e69-B3F7-93B3F1FB9D5C}
HKEY_CLASSES_ROOT\CLSID\{3D00A39C-655B-428b-AEB2-2FBA03DCC49C}
HKEY_CLASSES_ROOT\CLSID\{408F660A-9465-44a3-B557-8709DFD992BC}
HKEY_CLASSES_ROOT\CLSID\{5F6BBD8A-18CF-4d55-8B4C-C9B4C9328DFE}
HKEY_CLASSES_ROOT\CLSID\{8C56B6CE-C53F-44c4-9BDC-A9BC1711D05A}
HKEY_CLASSES_ROOT\CLSID\{8EE6BF73-B370-4d13-9126-EB0071178F2E}
HKEY_CLASSES_ROOT\CLSID\{97F56E12-C706-4aeb-9FFB-133C05EE5D38}
HKEY_CLASSES_ROOT\CLSID\{9BB7E700-4E48-476d-B75C-6F47606BE988}
HKEY_CLASSES_ROOT\CLSID\{CBCACA58-1AEE-4600-8CF0-E8B30BFF1535}
HKEY_CLASSES_ROOT\CLSID\{CBCACA58-1AEE-4600-8CF0-E8B30BFF1535}
HKEY_CLASSES_ROOT\CLSID\{D6D64CDF-0363-4261-B723-29A3AF365E1D}
HKEY_CLASSES_ROOT\Interface\{27ED4AC2-B6D8-4079-9831-017A100B391E}
HKEY_CLASSES_ROOT\Interface\{3F6D6C35-FB73-45E6-9473-BB4CC25CE019}
HKEY_CLASSES_ROOT\Interface\{715D709B-2B10-42FA-A069-297D25D93601}
HKEY_CLASSES_ROOT\Interface\{872C1B1E-3CF0-4D3A-95E5-A0C662D2854C}
HKEY_CLASSES_ROOT\Interface\{886B1D08-B404-40F0-AA18-4E416682A2E9}
HKEY_CLASSES_ROOT\Interface\{8B5F65CF-0B0A-4291-8DA2-86D7F7B0A6DB}
HKEY_CLASSES_ROOT\Interface\{925B0211-A1C1-4712-8FCA-5F5B8101736D}
HKEY_CLASSES_ROOT\Interface\{B01E37C4-5497-4D58-9FFD-D5653B8DC866}
HKEY_CLASSES_ROOT\Interface\{CCAA201C-C48D-48A8-A1E8-846562CBF1C1}
HKEY_CLASSES_ROOT\Interface\{D483521B-D5CC-43FF-A45A-9BE4A8E6606E}
HKEY_CLASSES_ROOT\Interface\{ED2AFF47-B7BE-4273-A203-C796E87F72D2}
HKEY_CLASSES_ROOT\Interface\{F0FA7ED9-5A0A-4374-B63E-BEBAFD52192E}
HKEY_CLASSES_ROOT\Interface\{F5DEE77C-87EB-4E00-BBF9-8CBF3BDEA7AF}
HKEY_CLASSES_ROOT\Interface\{FB5DDAB7-6AA5-4E97-9541-5A75ADDF4ABA}
HKEY_CLASSES_ROOT\Interface\{FDDF521B-0EBE-4D15-838C-73E2D851161B}
HKEY_CLASSES_ROOT\Interface\{FF609434-EB47-481B-BA0E-1D2B467629A5}
HKEY_CLASSES_ROOT\TypeLib\{60F94D7D-563E-4942-B5EC-2DE9C135C139}
HKEY_CLASSES_ROOT\Cerberus.EngineListener
HKEY_CLASSES_ROOT\Cerberus.EngineListener.1
HKEY_CLASSES_ROOT\Cerberus.Scanner
HKEY_CLASSES_ROOT\Cerberus.Scanner.1
HKEY_CLASSES_ROOT\Cerberus.ThreatCollection
HKEY_CLASSES_ROOT\Cerberus.ThreatCollection.1
HKEY_CLASSES_ROOT\Engine.Backup
HKEY_CLASSES_ROOT\Engine.Backup.1
HKEY_CLASSES_ROOT\Engine.IgnoreList
HKEY_CLASSES_ROOT\Engine.IgnoreList.1
HKEY_CLASSES_ROOT\Engine.Log
HKEY_CLASSES_ROOT\Engine.Log.1
HKEY_CLASSES_ROOT\Engine.LogRecord
HKEY_CLASSES_ROOT\Engine.LogRecord.1
HKEY_CLASSES_ROOT\Engine.Paths
HKEY_CLASSES_ROOT\Engine.Paths.1
HKEY_CLASSES_ROOT\Engine.Quarantine
HKEY_CLASSES_ROOT\Engine.Quarantine.1
HKEY_CLASSES_ROOT\Engine.RunAs
HKEY_CLASSES_ROOT\Engine.RunAs.1
HKEY_CLASSES_ROOT\Engine.SearchItem
HKEY_CLASSES_ROOT\Engine.SearchItem.1
HKEY_CLASSES_ROOT\Engine.Threat
HKEY_CLASSES_ROOT\Engine.Threat.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\AntivirusGold.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntivirusGold
HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusGold

3. Adds the value:

"AntivirusGold" = "%ProgramFiles%\AntiVirusGold\AntiVirusGold.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it runs every time Windows starts.

4. Displays a dialog box informing the user that the computer is infected with malware when the user attempts to perform a scan. This will occur even if the computer is not infected with malware. The program does not give any details as to why the computer is infected, and it may prompt the user to purchase a full version of the software to remove the malware from the computer.

Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows XP
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube