Installation
Antivirus Security Pro creates an identifier made up of eight letters or numbers, for example, X7gngpng. It then creates a folder with this name under the %APPDATA% or <commonappdata> directory. It creates the following files in this directory:
- <identifier>.exe - a copy of itself
- <identifier>.ico - an icon file
- <identifier>.in or <identifier><8 random letters or digits>.in - a data file
- <identifier>.lg or <identifier><8 random letters or digits>.lg - a data file
- <identifier>.exe.manifest - a data file
- serv.bat - a MS DOS batch script that changes the registry and stops services. It might also be detected as Rogue:Win32/Winwebsec
Examples of these files are:
Antivirus Security Pro creates the following registry entry to ensure that it runs each time you start your PC:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: AS2014
With data: <location of malware copy> For example, %APPDATA%\X7gngpng\X7gngpng.exe)DATA
It creates a desktop shortcut with the file name <desktop folder>\Antivirus Security Pro.lnk, which looks like the following:
It also creates a URL shortcut on the desktop with the file name <desktop folder>\Antivirus Security Pro support.url:
It creates a shortcut in <start menu>\Programs\Antivirus Security Pro\Antivirus Security Pro.lnk.
It creates a URL shortcut in <start menu>\Programs\Antivirus Security Pro\Antivirus Security Pro support.url:
Payload
Displays a fake scanner
Antivirus Security Pro dos a fake scan of your PC. It then falsely claims that a number of files on your PC are infected with malware. It tells you that you need to pay money to register the program if you want to clean the reported infections.
Some examples of the interface, fake alerts, fake scanning results, and pop-ups are shown below:
Antivirus Security Pro might show a user interface in English, French, German, Italian, Portuguese, or Spanish. However, the details of the threats detected are always reported in English. The following shows the Italian version of the user interface:
Stops processes
Antivirus Security Pro can stop you from launching applications by blocking the process. It will show you a message that falsely claims that the process is infected. It continues to monitor all running processes, and might stop any new process when it is launched.
It will stop any process unless it has one of the following file names:
- aeadisrv.exe
- alg.exe
- audiodg.exe
- cleaner.exe
- conhost.exe
- csrss.exe
- ctfmon.exe
- dllhost.exe
- driverquery.exe
- dumprep.exe
- dwm.exe
- dwwin.exe
- explorer.exe
- httpd.exe
- iastordatamgrsvc.exe
- ie4uinit.exe
- iedw.exe
- ieuser.exe
- iexplore.exe
- iexplorer.exe
- livesp.exe
- lsass.exe
- lsm.exe
- makecab.exe
- mdnsresponder.exe
- mfnsvc.exe
- msdtc.exe
- nvscpapisvr.exe
- nvsvc.exe
- nvvsvc.exe
- pdagent.exe
- ping.exe
- reg.exe
- relver.exe
- rundll32.exe
- sc.exe
- searchindexer.exe
- searchprotocolhost.exe
- services.exe
- slsvc.exe
- smss.exe
- snort.exe
- spoolsv.exe
- svchost.exe
- sysdoctor.exe
- systeminfo.exe
- taskeng.exe
- taskhost.exe
- userinit.exe
- verclsid.exe
- vmacthlp.exe
- vmtoolsd.exe
- werfault.exe
- wininit.exe
- winlogon.exe
- winroute.exe
- wmiprvse.exe
- wmpnetwk.exe
- wscntfy.exe
- wuauclt.exe
The following processes will always be stopped; this list includes some Internet browsers:
- chrome.exe
- cmd.exe
- firefox.exe
- msconfig.exe
- opera.exe
- regedit.exe
- safari.exe
- taskmgr.exe
When it stops a process it shows an image similar to the following:
Stops and disables services
Antivirus Security Pro tries to stop the following services, and disable them so that they will not restart when you turn your PC on:
- msmpsvc (Microsoft Security Essentials)
- windefend (Windows Defender)
- wscsvc (Windows Security Center)
- wuauserv (Windows Update)
It also tries to disable the following service:
- luafv (UAC File Virtualization Filter)
Changes security settings
Antivirus Security Pro might try to change your PC's security settings by making a number of registry modifications.
It tries to disable various Windows Security Center notifications by making the following changes to the registry:
In subkey: HKLM\SOFTWARE\Microsoft\Security Center
In subkey: HKLM\SOFTWARE\Microsoft\Security Center\svc
Sets value: "AntiVirusDisableNotify"
With data: "1"
Sets value: "AntiVirusOverride"
With data: "1"
Sets value: "FirewallDisableNotify"
With data: "1"
Sets value: "FirewallOverride"
With data: "1"
Sets value: "UpdatesDisableNotify"
With data: "1"
It tries to prevent the creation of automatic System Restore points by making the following changes to the registry:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Sets value: "RPSessionInterval"
With data: "0"
It tries to disable User Account Control (UAC) by making the following changes to the registry:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
Sets value: "EnableLUA"
With data: "0"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
Sets value: "EnableVirtualization"
With data: "0"
It tries to prevent Windows Defender from running at startup by deleting the following registry entries:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Deletes value: Windows Defender
Deletes value: MSASCui
It tries to disable System Protection by removing the following registry key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP\Clients
Closes windows
If you try to open one of the following windows or programs, or if any alerts are displayed by these programs, the rogue might try to close them:
- fwcplui_class (Windows Firewall)
- msascui_class (Windows Defender)
- wscui_class (Windows Security Center)
Blocks access to websites
The rogue might try to block access to some websites, instead showing a page similar to:
Analysis by David Wood