1. Symantec/
  2. Security Response/
  3. AntiVirusXP2008

AntiVirusXP2008

Updated:
July 16, 2008 2:17:38 PM
Type:
Misleading Application
Name:
AntiVirusXP2008
Risk Impact:
Medium
Systems Affected:
Windows
Behavior
The program must be manually downloaded and installed.

The program reports false or exaggerated system security threats on the computer.




The user is then prompted to pay for a full license of the application in order to remove the threats.





Installation
When the program is executed, it creates the following files:
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk %ProgramFiles%\[RANDOM NAME]\database.dat
%ProgramFiles%\[RANDOM NAME]\license.txt
%ProgramFiles%\[RANDOM NAME]\MFC71.dll
%ProgramFiles%\[RANDOM NAME]\MFC71ENU.DLL
%ProgramFiles%\[RANDOM NAME]\msvcp71.dll
%ProgramFiles%\[RANDOM NAME]\msvcr71.dll
%ProgramFiles%\[RANDOM NAME]\rhccv9j0e1b1.exe
%ProgramFiles%\[RANDOM NAME]\rhccv9j0e1b1.exe.local
%ProgramFiles%\[RANDOM NAME]\Uninstall.exe
%System%\[RANDOM NAME].exe

It then creates the following folder:
%UserProfile%\Application Data\[RANDOM NAME]

Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[RANDOM NAME]" = "C:\Program Files\[RANDOM NAME]\[RANDOM NAME].exe"

The program then creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\"AntivirXP08" = "AntivirXP08"

It also creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\[RANDOM NAME] HKEY_LOCAL_MACHINE\SOFTWARE\[RANDOM NAME] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\[RANDOM NAME]

Similar Security Risks

MalwareProtector2008

Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube