Send us feedback
We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Total Anti Malware Protection
Aliases: No associated aliases
Summary
Total Anti Malware Protection is a variant of Win32/FakeVimes - a family of programs that claims to scan for malware and displays fake warnings of "malicious programs and viruses". They then inform the user that they need to pay money to register the software in order to remove these non-existent threats. It may also modify security settings, prevent programs from running, and modify the Hosts file.
To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:
Threat behavior
Total Anti Malware Protection is a variant of Win32/FakeVimes - a family of programs that claims to scan for malware and displays fake warnings of "malicious programs and viruses". They then inform the user that they need to pay money to register the software in order to remove these non-existent threats. It may also modify security settings, prevent programs from running, and modify the Hosts file.
Installation
Total Anti Malware Protection is installed by a downloader, wich may also be detected as Rogue:Win32/FakeVimes. This downloads an encrypted copy of the fake scanner, which it decrypts and writes to %common_appdata%\<five random hexadecimal digits>\TA<three random hexadecimal digits>_<four random decimal digits>.exe. An example location for Total Anti Malware Protection might be %common_appdata%\54fd6\TA3b8_8068.exe. It then launches the fake scanner.
It copies itself to %common_appdata%\<five random hexadecimal digits>\TA<random digits>.exe (for example %common_appdata%\54fd6\TA239.exe).
It then creates a registry entry so that this copy is run each time Windows starts:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Total Anti Malware Protection"
With data: "<location of malware>" /s /d (for example, "%common_appdata%\54fd6\TA239.exe" /s /d)
It drops an icon file TAMP.ico to the same directory as the copied malware (for example, %common_appdata%\54fd6\TAMP.ico)
It also creates empty folders "Quarantine Items" and "TAMPSys" under the same folder as the original copy of the scanner.
It creates a desktop shortcut at %desktopdir%\Total Anti Malware Protection.lnk.
It adds an item to Start Menu by creating a file at %startmenu%\Total Anti Malware Protection.lnk.
It adds an item to the Programs Menu by creating an file at %programs%\Total Anti Malware Protection.lnk.
It adds an icon to the Quick Launch bar by creating a file at %appdata%\Microsoft\Internet Explorer\Quick Launch\Total Anti Malware Protection.lnk.
Total Anti Malware Protection then creates a configuration file in a location such as %common_appdata\TAGJXQMP\TAFQLVLTMP.cfg.
Lastly, it creates a number of small junk files in the %userprofile%\Recent directory, which it can report as infected when performing its fake scan. These files are harmless by themselves.
Payload
Displays fake scanner
The malware masquerades as an antivirus scanner, and displays a number of windows, dialog boxes and system tray pop-ups in an attempt to convince you that you are infected. This appears to be an attempt to replicate the appearance of Microsoft Security Essentials.
If you try to remove the listed threats, you will be taken to a webpage informing you that you must pay to register the scanner in order to do so.
Adds details to Security Center
The malware adds its details to the legitimate Security Center by dropping a file named <four digit random number>.mof (for example, 5668.mof) to the directory in which it is running, and then launching a system tool using this file as input. It adds itself as both the Antivirus Product and Firewall Product:
Modifies Hosts file
Total Anti Malware Protection modifies the Windows Hosts file. The local Hosts file overrides the DNS resolution of a website URL to a particular IP address. Malware may make modifications to the Hosts file in order to redirect specified URLs to different IP addresses. Malware often modifies an affected computer's Hosts file in order to stop users from accessing websites associated with particular security-related applications (such as antivirus, for example).
Total Anti Malware Protection attempts to modify the Hosts file at %windows%\drivers\etc\hosts to remove the following entries if they are present:
- 64.86.17.32
- hxxp://secure1.bestscansystems.com
- hxxp://www5.total-anti-malware-protection.com
- safe-pay-vault.com
- secure-softsales-discount.com
- secure.securepay-processor.com
- vsoftstore.com
- www<dot>webpayvault<dot>com
These entries may have been added earlier (by competing malware, for instance, or even by another security-conscious administrator) to prevent you from visiting the websites of Win32/FakeVimes or its payment gateways.
Some variants of Win32/FakeVimes have also been reported to add additional entries to the Hosts file in order to block access to security related websites, or redirect visits to search pages to sites of the malware's choosing.
Monitors browser traffic
The malware creates the following registry entry, which causes Internet Explorer to use a web proxy on the local computer.
In subkey: HKCU\Software\Microsoft\Internet Explorer
Sets value: "PRS"
With data: "hxxp://127.0.0.1:27777/?inj=%ORIGINAL%"
It then listens on port 27777 for the proxied web traffic. Should it find pages that it does not want you to view, it may block access to this content, or close browser tabs or windows.
Modifies default search page
The malware attempts to alter the default search page for Internet Explorer by creating a registry entry such as the following:
In subkey: HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes
Sets value: "URL"
With data: "hxxp://findgala.com/?&uid=8068&q={searchTerms}"
Modifies security settings
It creates the following registry entries in an attempt to allow Internet Explorer to run unsigned or incorrectly signed executables without displaying a warning:
In subkey: HKCU\Software\Microsoft\Internet Explorer\Download
Sets value: "CheckExeSignatures"
With data: "no"
Sets value: "RunInvalidSignatures"
With data: "1"
If the computer is running Windows Vista or later, FakeVimes may also temporarily modify the registry entries below, to allow the Hosts file changes above to be made without a UAC (User Account Control) warning being displayed. After it has performed the changes, it may increase the security on these entries, but may use values other than the ones originally used.
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Modifies value: "ConsentPromptBehaviorAdmin"
Modifies value: "ConsentPromptBehaviorUser"
Modifies value: "EnableLUA"
Prevents programs from running
The malware attempts to prevent a number of executables associated with Microsoft Security Essentials, Windows Defender, as well as E-set and AVG antivirus products from running. It does so by creating the following registry entries:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "DisallowRun"
With data: "1"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Sets value: "0"
With data: "msseces.exe"
Sets value: "1"
With data: "MSASCui.exe"
Sets value: "2"
With data: "ekrn.exe"
Sets value: "3"
With data: "egui.exe"
Sets value: "4"
With data: "avgnt.exe"
Sets value: "5"
With data: "avcenter.exe"
Sets value: "6"
With data: "avscan.exe"
Sets value: "7"
With data: "avgfrw.exe"
Sets value: "8"
With data: "avgui.exe"
Sets value: "9"
With data: "avgtray.exe"
Sets value: "10"
With data: "avgscanx.exe"
Sets value: "11"
With data: "avgcfgex.exe"
Sets value: "12"
With data: "avgemc.exe"
Sets value: "13"
With data: "avgchsvx.exe"
Sets value: "14"
With data: "avgcmgr.exe"
Sets value: "15"
With data: "avgwdsvc.exe"
The malware also attempts to prevent a number of other programs from running, by setting the harmless system process "svchost.exe" as a debugger for these programs. This means that when you attempt to launch one of these programs, svchost.exe is run instead of the program that you want to run.
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<file name of blocked program>
Sets value: "Debugger"
With data: "svchost.exe"
for example:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe
Sets value: "Debugger"
With data: "svchost.exe"
It does this for the following diagnostic or security-related security programs:
|
|
|
It also does the same for the following files used by other rogue antivirus software:
|
|
|
Modifies browser settings
Total Anti Malware Protection modifies the affected computer's browser settings by making the following changes to the registry:
In subkey: HKCU\Software\Microsoft\Internet Explorer
Sets value: "IIL"
With data: "0"
Sets value: "ltHI"
With Data: "0"
Sets value: "ltTST"
With Data: <five digit number> (for example, 20212)
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "UID"
With data: <four digit identifier> (for example, 8068)
It also creates registry entries similar to the following, which add additional information to the string that a web browser uses to identify itself when connecting to a website:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
Sets value: "Engine/5.0<four digit identifier>" (efor example, Engine/5.08068)
With data: ""
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
Sets value: "6999012603"
With data: ""
Analysis by David Wood
Prevention
Take the following steps to help prevent infection on your computer:
- Enable a firewall on your computer.
- Get the latest computer updates for all your installed software.
- Use up-to-date antivirus software.
- Limit user privileges on the computer.
- Use caution when opening attachments and accepting file transfers.
- Use caution when clicking on links to webpages.
- Avoid downloading pirated software.
- Protect yourself against social engineering attacks.
- Use strong passwords.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows Internet Connection Firewall.
- How to turn on the Windows Firewall in Windows 7
- How to turn on the Windows Firewall in Windows Vista
- How to turn on the Windows firewall in Windows XP
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. It is important to install updates for all the software that is installed in your computer. These are usually available from vendor websites. Instructions on how to download the latest versions of some common software is available from the following:
You can use the Automatic Updates feature in Windows to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
- How to turn on Automatic Updates in Windows 7
- How to turn on Automatic Updates in Windows Vista
- How to turn on Automatic Updates in Windows XP
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software, such as Microsoft Security Essentials, that is updated with the latest signature files. For more information, see 'Consumer security software providers'.
Limit user privileges on the computer
Starting with Windows Vista and Windows 7, Microsoft introduced User Account Control (UAC), which, when enabled, allowed users to run with least user privileges. This scenario limits the possibility of attacks by malware and other threats that require administrative privileges to run.
You can configure UAC in your computer to meet your preferences:
- User Account Control in Windows 7
- User Account Control in Windows Vista
- Applying the Principle of Least Privilege in Windows XP
- More on User Account Control
Use caution when opening attachments and accepting file transfers
Exercise caution with email and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.
Use caution when clicking on links to webpages
Exercise caution with links to webpages that you receive from unknown sources, especially if the links are to a webpage that you are not familiar with, unsure of the destination of, or suspicious of. Malicious software may be installed in your computer simply by visiting a webpage with harmful content.
Avoid downloading pirated software
Threats may also be bundled with software and files that are available for download on various torrent sites. Downloading "cracked" or "pirated" software from these sites carries not only the risk of being infected with malware, but is also illegal. For more information, see 'The risks of obtaining and using pirated software'.
Protect yourself from social engineering attacks
While attackers may attempt to exploit vulnerabilities in hardware or software to compromise a computer, they also attempt to exploit vulnerabilities in human behavior to do the same. When an attacker attempts to take advantage of human behavior to persuade the affected user to perform an action of the attacker's choice, it is known as 'social engineering'. Essentially, social engineering is an attack against the human interface of the targeted computer.
Use strong passwords
Attackers may try to gain access to your Windows account by guessing your password. It is therefore important that you use a strong password – one that cannot be easily guessed by an attacker. A strong password is one that has at least eight characters, and combines letters, numbers, and symbols. For more information, see 'Create strong passwords'.
System changes
The following system changes may indicate the presence of this malware:
- The presence of the following files:
%common_appdata%\<five random hexadecimal digits>\TA<random digits>.exe - The presence of the following registry modifications:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Total Anti Malware Protection"
With data: "<location of malware>" /s /d (for example, "%common_appdata%\54fd6\TA239.exe" /s /d)
In subkey: HKCU\Software\Microsoft\Internet Explorer
Sets value: "PRS"
With data: "hxxp://127.0.0.1:27777/?inj=%ORIGINAL%"
In subkey: HKCU\Software\Microsoft\Internet Explorer\Download
Sets value: "CheckExeSignatures"
With data: "no"
Sets value: "RunInvalidSignatures"
With data: "1"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Modifies value: "ConsentPromptBehaviorAdmin"
Modifies value: "ConsentPromptBehaviorUser"
Modifies value: "EnableLUA"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "DisallowRun"
With data: "1"In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Sets value: "0"
With data: "msseces.exe"
Sets value: "1"
With data: "MSASCui.exe"
Sets value: "2"
With data: "ekrn.exe"
Sets value: "3"
With data: "egui.exe"
Sets value: "4"
With data: "avgnt.exe"
Sets value: "5"
With data: "avcenter.exe"
Sets value: "6"
With data: "avscan.exe"
Sets value: "7"
With data: "avgfrw.exe"
Sets value: "8"
With data: "avgui.exe"
Sets value: "9"
With data: "avgtray.exe"
Sets value: "10"
With data: "avgscanx.exe"
Sets value: "11"
With data: "avgcfgex.exe"
Sets value: "12"
With data: "avgemc.exe"
Sets value: "13"
With data: "avgchsvx.exe"
Sets value: "14"
With data: "avgcmgr.exe"
Sets value: "15"
With data: "avgwdsvc.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<file name of blocked program>
Sets value: "Debugger"
With data: "svchost.exe"
In subkey: HKCU\Software\Microsoft\Internet Explorer
Sets value: "IIL"
With data: "0"
Sets value: "ltHI"
With Data: "0"
Sets value: "ltTST"
With Data: <five digit number>
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "UID"
With data: <four digit identifier> - The display of fake scanners; see the Technical Analysis for examples of these.
