1. Symantec/
  2. Security Response/
  3. XPAntivirus

XPAntivirus

Updated:
October 10, 2007 2:06:21 PM
Type:
Misleading Application
Name:
XPAntivirus
Risk Impact:
Medium
Systems Affected:
Windows
Behavior
The program must be manually installed.





The program reports false or exaggerated system security threats on the computer.





The user is then prompted to pay for a full license of the application in order to remove the errors.

Installation
When the program is executed, it creates the following files:
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\XPAntivirus.lnk
  • %UserProfile%\Desktop\XPAntivirus.lnk
  • %Programs%\XP antivirus\Uninstall XPAntivirus.lnk
  • %Programs%\XP antivirus\XPAntivirus on the Web.lnk
  • %Programs%\XP antivirus\XPAntivirus.lnk
  • %ProgramFiles%\XPAntivirus\backup.lst
  • %ProgramFiles%\XPAntivirus\helper.sys
  • %ProgramFiles%\XPAntivirus\pn.cfg
  • %ProgramFiles%\XPAntivirus\spyware.dat
  • %ProgramFiles%\XPAntivirus\SysBackup\explorer.exe
  • %ProgramFiles%\XPAntivirus\SysBackup\explorer.exe.md5
  • %ProgramFiles%\XPAntivirus\SysBackup\ntoskrnl.exe
  • %ProgramFiles%\XPAntivirus\SysBackup\ntoskrnl.exe.md5
  • %ProgramFiles%\XPAntivirus\SysBackup\shlwapi.dll
  • %ProgramFiles%\XPAntivirus\SysBackup\shlwapi.dll.md5
  • %ProgramFiles%\XPAntivirus\SysBackup\wininet.dll
  • %ProgramFiles%\XPAntivirus\SysBackup\wininet.dll.md5
  • %ProgramFiles%\XPAntivirus\unins000.dat
  • %ProgramFiles%\XPAntivirus\unins000.exe
  • %ProgramFiles%\XPAntivirus\ver.dat
  • %ProgramFiles%\XPAntivirus\whitelist.cfg
  • %ProgramFiles%\XPAntivirus\XPAntivirus.exe
  • %ProgramFiles%\XPAntivirus\XPAntivirus.url
  • %ProgramFiles%\XPAntivirus\XPAntivirusUpdate.exe
  • %ProgramFiles%\XPAntivirus\XPAntivirus_log.txt


Next, the program creates the following registry entries so that it executes whenever Windows starts:
  • HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run\"XP antivirus" = "C:\Program Files\XPAntivirus\XPAntivirus.exe"
  • HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run\"XPAntivirus" = "C:\Program Files\XPAntivirus\XPAntivirus.exe"


The program creates the following registry subkeys:
  • HKEY_USERS\Software\XP antivirus
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XP antivirus_is1
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XPAntivirusFilter
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube