Name:

Antivirus Security Pro

Descr. Added:

October 9, 2013

Type:

Trojan

Risk:

Low

Payload:

N/A

At risk systems:

Windows 95/98/ME/XP/NT/2003

Malware problems?   We can help.  Free Removal Tools.

Description:

When Trojan.FakeAV.gen is executed, it performs the following activities:

It installs the fake security application “Antivirus Security Pro”.




Once installed, it will display a fake alert showing that the system is badly infected.






It will then connect to the Internet and drop the following files:
%appdata%\[random_name]\[random_name].exe
%appdata%\[random_name]\serv.bat

Example:
%appdata%\nhXgV333\nhXgV333.exe
%appdata%\Mtczkqgsbfwlpflfd\Mtczkqgsbfwlpflfd.exe
%appdata%\Gflvpjmqdyfbrlh\Gflvpjmqdyfbrlh.exe
%appdata%\Mrsdbgaklzrlrnph\Mrsdbgaklzrlrnph.exe

The [random_name].exe is the roguewares main file which is responsible for generating the fake alerts, etc.
.
The "serv.bat" file is a batch file containing the registry entries pertaining to the dropped files:
"reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
/v Userinit /t REG_SZ /d

"C:\WINDOWS\system32\userinit.exe,,C:\Documents and Settings\All Users\Application Data\nhXgV333\nhXgV333.exe -sm," /f"

Due to the above registry entries the malware gets re-launched after each restart.

Thirtyseven4 customers are fully protected against this malware. Thirtyseven4 also has proactive detection for this type of rogueware within the Memory scan, the GUI Scanner, Online Protection, and Native Scan.  In addition, we have the path based detection as well.