Effects
AntiAID is an adware program that carries out the following actions:
- When it is run, the installation process of the program starts. In order to do so, the user has to follow some steps. One of the screens that is displayed is the following:
- Once installed, it simulates that the program is being loaded:
- After being installed, a warning that seems to be showed by the Windows Security Center is displayed, informing users that their computer is infected. This warning is false and its aim is to get more credibility:
- Then, it starts scanning the system in search for possible malware:
- Once finished, it displays a warning message informing users that the computer is infected with malware:
- If users follow the program's instructions and remove the threats, the program will require a registration code:
- This code is obtained after purchasing the antivirus solution. Therefore, the user will be redirected to a website where it can be purchased:
- If users don't follow the program's recommendations, several warning messages will be displayed reminding users that their computer is unprotected:
Infection strategy
AntiAID creates the following files:
- ANTIAID.EXE, which is the main file of the program and UNINSTALL.EXE, in the folder AintiAID Software\AntiAID, created by itself, in the Program Files directory.
- a group of programs in the Start menu called AntiAID, which contains several links.
- several random files with an EXE extension in the path C:\Documents and Settings\%username%\Local Settings\Temp.
Additionally, it creates the following files in the path C:\Documents and Settings\%username%\Local Settings\Temp:
- FIRST.EXE and THI.EXE
- ABC.DAT
- SECOND.DLL
Additionally, it creates another main file of the program with a random name and an EXE extension in the Windows system directory. This copy is created so that the antivirus program continues being in execution in spite of having been uninstalled. In this case, all the files except this and its corresponding Windows Registry entry will be deleted.
On the other hand, it creates the following trash files in the Windows directory and the Windows system directory, so that they are used as malicious files detected by the program when the scan is carried out:
- 8C9DOZNLO5DER1957.BIN
- 8B59HIEF2792Z.CPL
- 79559PZRSE2885.EXE
- 686ZT9I5F727.DLL
- 65ZFBACKD9OR942.OCX
Additionally, it creates the following shortcut in the Desktop:
AntiAID creates the following entries in the Windows Registry:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
AntiAID = C:\Program Files\AntiAID Software\AntiAID\AntiAID.exe -min - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
%filename%.exe =%sysdir%\%filename%.exe
where %filename% is a random file name and %sysdir% is the Windows system directory.
By creating these entries, AntiAID ensures that it is automatically run whenever Windows is started. - HKEY_LOCAL_MACHINE\SOFTWARE\AntiAID
Install_Dir = C:\Program Files\AntiAID Software\AntiAID - HKEY_LOCAL_MACHINE\SOFTWARE\AntiAID
Lang = English - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiAID
DisplayName = AntiAID - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiAID
NoModify = 01, 00, 00, 00 - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiAID
NoRepair = 01, 00, 00, 00 - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Uninstall\ AntiAID
UninstallString = C:\Program Files\AntiAID Software\AntiAID\uninstall.exe - HKEY_CURRENT_USER\Software\AntiAID
AgentsSettings = 01, 00, 00, 00
These entries contain information about the application and its uninstallation.
Means of transmission
AntiAID can reach the computer when the user accesses certain websites which display banners or pop-up windows which lead to the download of this program. It can also reach the computer in a link that can be received via spam messages, fraudulent websites, etc.
Further Details
AntiAID is 1,634,304 bytes in size y está comprimido mediante UPX.