Name:

FraudTool.XpAntivirus2011

Added:

March 21, 2011

Type:

Fraudtool

Risk:

Low

Payload:

N/A

At risk systems:

Windows 95/98/ME/XP/NT/2003

Description:

FraudTool.XpAntivirus2011 is a polymorphic rougeware that when executed installs on a compromised system under random rougeware names (ie. XP Antivirus, XP Antivirus 2011, XP Internet Security 2011, etc)

It will perform the following activities:

It drops the following file:

%USERPROFILE%\Local Settings\Application Data\oii.exe (Random Three
 Characters).

It creates/modifies the following registry entries:

[HKEY_CLASSES_ROOT\.exe\shell\open\command]
@="\"C:\\Documents and Settings\\Administrator\\Local Settings\\Application
 Data\\Random_Three_Character.exe\" -a \"%1\" %*"
"IsolatedCommand"="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"C:\\Documents and Settings\\Administrator\\Local Settings\\Application
 Data\\Random_Three_Character.exe\" -a \"%1\" %*"
"IsolatedCommand"="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE
.EXE\shell\open\command]
@="\"C:\\Documents and Settings\\Administrator\\Local Settings\\Application
 Data\\Random_Three_Character.exe\" -a \"C:\\Program Files\\Internet Explorer\\iexplore.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE
.EXE\shell\open\command]
@="C:\\Program Files\\Internet Explorer\\iexplore.exe"

After execution it displays fake threat messages and that force a user to purchase the software in order to remove the fake threats:





Below are some examples of the other variations of this Rogueware: