When FraudTool.AntiVirus is executed, it performs the following activities:
It creates the following folders:
%UserProfile%\Start Menu\Programs\AntiVirus Studio 2010
%AppData%\AntiVirus Studio 2010
It drops the drops the folowing files:
%AppData%\AntiVirus Studio 2010\AntiVirus Studio 2010.exe %AppData%\AntiVirus Studio 2010\securitycenter.exe %AppData%\AntiVirus Studio 2010\taskmgr.dll %AppData%\AntiVirus Studio 2010\securityhelper.exe %Temp%\_2.tmp %Temp%\jkfuckfu.exe %Temp%\wrfwe_di.exe %Temp%\winlogoff.exe %Temp%\472a10e2ebxd9.exe %Temp%\ds7hw.exe %Temp%\lols.exe %Temp%\dc_3.exe %Temp%\qwedvor.exe %Temp%\dd10x10.exe %Temp%\17dkf.exe %Temp%\jdhellwo3.exe %Temp%\gedx_ae09.exe %Temp%\wrcud12.exe %Temp%\eelnvd13.exe %Temp%\ppddfcfux.exxe %Temp%\sycre.exe %Temp%\backd-efq.exe %Temp%\hodeme.exe %Temp%\hiphop.exe %UserProfile%\Start Menu\Programs\AntiVirus Studio 2010\AntiVirus Studio 2010.lnk
It creates/modifies the Folowing registry entries:
@ = "%AppData%\AntiVirus Studio 2010" HKU\Software\AntiVirus Studio 2010
DisplayName = "AntiVirus Studio 2010" DisplayIcon = ""%AppData%\AntiVirus Studio 2010\securityhelper.exe",1" UninstallString = ""%AppData%\AntiVirus Studio 2010\securityhelper.exe" /UNINSTALL" HKU\Software\Microsoft\Windows\CurrentVersion\Uninstall\AntiVirus Studio 2010
AntiVirus Studio 2010 = ""%AppData%\AntiVirus Studio 2010\AntiVirus Studio 2010.exe" /STARTUP" HKU\Software\Microsoft\Windows\CurrentVersion\Run
SecurityCenter = "%AppData%\AntiVirus Studio 2010\securitycenter.exe" HKU\Software\Microsoft\Windows\CurrentVersion\Run
It displays fake threat messages and forces users to purchase the software in order to remove the fake threats:
Malware problems? We can help.
Evaluate Thirtyseven4 Antivirus Now
“Delight yourself in the Lord and he will give you the desires of your heart.” Psalm 37:4
