You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

AVProtection2009

 
Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

AVProtection2009 is an adware program that carries out the following actions:

  • When it is run, it displays a window like the following which simulates the installation of an antivirus program:

  • Once installed, the program starts scanning the system in search for possible malware:

  • Then, it displays a registration window:

  • Its aim is to persuade users to activate the false antivirus program, after paying a certain sum of money.
  • If the user does not follow the recommendations of the program, it will periodically display any of the following warning messages:



Infection strategy 

AVProtection2009 creates the following files:

  • AVP.EXEAVP_UPDATE.EXESYSSHIELD.EXEUNINSTALL.EXESCANOPT.SYSSUPPORT.URLSVO.SCF and SYSDATA.SYS, in the folder AntiVirus Protection, created by itself, in the Program Files directory.
  • SYSSHIELD.EXE, in the Windows system directory.
    These files are necessary for the installation and configuration of the program.
  • a shortcut to the program called ANTIVIRUS PROTECTION.LNK, in the Desktop:

Additionally, it creates a group of programs called AntiVirus Protection in the Start menu -> Programs with the following files:

  • ANTIVIRUS PROTECTION.LNK
  • SUPPORT.LNK
  • UNINSTALL ANTIVIRUS PROTECTION.LNK

 

AVProtection2009 creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    AntiVirus Protection = C:\Program Files\AntiVirus Protection\AVP.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Windows applications server = %sysdir%\SysShield.exe
    where %sysdir% is the Windows system directory.
    By creating these entries, AVProtection2009 ensures that it is run whenever Windows is started.
  • HKEY_CURRENT_USER\Software\AVP09
  • HKEY_CURRENT_USER\Software\AVP09\GlobalOptions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiVirus Protection

Additionally, it creates the path HKEY_CURRENT_USER\Software\AV2009 \GlobalOptions, to which it adds the following values:
0 = 60000
1 = 1000
2 = 540
3 = 660
4 = 900
5 = 660
6 = 1020
7 = 1740
8 = 28800
9 = http://youravprotection.com/support
10 = http://google.com
11 = http://www.registerantivirus.com/
12 = http://avprotectionstat.com
13 = ad81
14 = 1
15 = 1
16 = 1
17 = 0
18 = 0
19 = C:\Program Files\AntiVirus Protection
20 = 0
21 = 14A205A4-DDB4-4670-9A19-F5D9DD827ED0
By adding these values, it saves the options that AVProtection2009 will use once installed.

Means of transmission 

AVProtection2009 can be voluntarily downloaded from the website belonging to the company that has developed it.

Additionally, it can also reach the computer when the user accesses certain websites which display banners or pop-up windows which lead to the download of this program.

Further Details  

AVProtection2009 is 173,056 bytes in size.