1. Symantec/
  2. Security Response/
  3. AntiVirus2010

AntiVirus2010

Updated:
September 22, 2009 11:37:24 AM
Type:
Misleading Application
Name:
AntiVirus Pro 2010
Publisher:
AntiVirusPro21.com
Risk Impact:
Medium
Systems Affected:
Windows
Behavior
The program must be manually installed.

The program reports false or exaggerated system security threats on the computer.






The user is then prompted to pay for a full license of the application in order to remove the threats.




Installation
When the program is executed, it creates the following files:
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
  • %UserProfile%\Application Data\[RANDOM NAME ONE].dl
  • %UserProfile%\Desktop\AntivirusPro_2010.lnk
  • %UserProfile%\Local Settings\Application Data\[RANDOM NAME TWO].dat
  • %UserProfile%\Local Settings\Application Data\[RANDOM NAME THREE].com
  • %UserProfile%\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
  • %UserProfile%\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
  • C:\Documents and Settings\All Users\Application Data\[RANDOM NAME FOUR].db
  • C:\Documents and Settings\All Users\Application Data\[RANDOM NAME FIVE].pif
  • C:\Documents and Settings\All Users\Application Data\[RANDOM NAME SIX]._sy
  • C:\Documents and Settings\All Users\Application Data\[RANDOM NAME SEVEN].dl
  • C:\Documents and Settings\All Users\Documents\[RANDOM NAME EIGHT].com
  • C:\Documents and Settings\All Users\Documents\[RANDOM NAME NINE].exe
  • %CommonProgramFiles%\[RANDOM NAME TEN].pif
  • %CommonProgramFiles%\[RANDOM NAME ELEVEN].bin
  • %CommonProgramFiles%\[RANDOM NAME TWELVE].lib
  • %CommonProgramFiles%\[RANDOM NAME THIRTEEN].lib
  • %ProgramFiles%\AntivirusPro_2010\AntivirusPro_2010.cfg
  • %ProgramFiles%\AntivirusPro_2010\AntivirusPro_2010.exe
  • %ProgramFiles%\AntivirusPro_2010\AVEngn.dll
  • %ProgramFiles%\AntivirusPro_2010\data\daily.cvd
  • %ProgramFiles%\AntivirusPro_2010\htmlayout.dll
  • %ProgramFiles%\AntivirusPro_2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
  • %ProgramFiles%\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll
  • %ProgramFiles%\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll
  • %ProgramFiles%\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll
  • %ProgramFiles%\AntivirusPro_2010\pthreadVC2.dll
  • %ProgramFiles%\AntivirusPro_2010\Uninstall.exe
  • %ProgramFiles%\AntivirusPro_2010\wscui.cpl
  • %System%\[RANDOM NAME FOURTEEN].exe
  • %System%\[RANDOM NAME FIFTEEN].vbs
  • %System%\[RANDOM NAME SIXTEEN].vbs
  • %System%\[RANDOM NAME SEVENTEEN].cpl
  • %Windir%\[RANDOM NAME EIGHTEEN].bin
  • %Windir%\[RANDOM NAME NINETEEN].dl
  • %Windir%\[RANDOM NAME TWENTY].dll
  • %Windir%\[RANDOM NAME TWENTY ONE].exe
  • %Windir%\[RANDOM NAME TWENTY TWO].sys


Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Antivirus Pro 2010" = "C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe"

It also creates the following registry subkeys:
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Extensions
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SQM\PIDs
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{DBC80044-A445-435B-BC74-9C25C1C588A9}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}
  • HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusPro_2010
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\[ORIGINAL FILE NAME]
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntivirusPro_2010

The risk may also modify the following registry entries:
  • HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\"DisableNotifications" = "1"
  • HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\"EnableFirewall" = "0"
  • HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\"DoNotAllowExceptions" = "0"
  • HKEY_LOCAL_MACHINE\software\Microsoft\Security Center\"FirewallDisableNotify" = "1"
  • HKEY_LOCAL_MACHINE\software\Microsoft\Security Center\"UpdatesDisableNotify" = "1"
  • HKEY_LOCAL_MACHINE\software\Microsoft\Security Center\"AntiVirusOverride" = "1"
  • HKEY_LOCAL_MACHINE\software\Microsoft\Security Center\"AntiVirusDisableNotify" = "1"
  • HKEY_LOCAL_MACHINE\software\Microsoft\Security Center\"FirewallOverride" = "1"

Similar Security Risks

XPAntivirus



Antivirus XP 2010



Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube