You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard

AntivirusXP2010
Threat LevelDamageDistribution

At a glance Tech details Solution

Effects

AntivirusXP2010 is an adware program that, once installed, prevents users from working with the computer properly, as it does not allow programs whose window title contains any of the following texts:

Firefox
Several security suites

In fact, when any of these programs is run, a message like the following is displayed informing users that this file is infected and recommending them to install the fake antivirus to solve the problem:

Message displayed by AntivirusXP2010

Additionally, it carries out the following actions, which are common of this type of fake antivirus programs:

When it is run and installed, the interface of the program is displayed and starts scanning the system in search for possible malware:
Once finished, it displays a warning message informing users that the computer is infected:
If users decide to repair these files and click the "Registro" button, they will be redirected to the website where the product can be purchased:
If, on the contrary, they decide not to follow the program's instructions, different alert messages will be displayed in order to make them think that their computer is really infected .
The text of these warning messages is variable and will be similar to the following:
- Warning! Sensitive data may be sent over your internet connection right now!
System integrity threat!
- Severe system damage!
Your computer security is at risk. Spyware, worms and Trojans were detected in the background. Prevent data corruption and credit card information theft. Safeguard your system and perform a free security scan now.
- Malware intrusion!
Your PC activity is being monitored. Possible spyware infection. Your data security may be compromised. Sensitive data can be stolen. Prevent damage now by completing a security scan.
The image below is an example:

On the other hand, it carries out the following actions:

It contains code to uninstall different antivirus solutions. This way, the computer would be unprotected and the real antivirus programs could not detect it.
It attempts to establish connections with several URLs in order to download future updates.
When users are browsing through the Internet Explorer, from time to time it displays the following website, warning users that the website they are going to access is dangerous:

Infection strategy

AntivirusXP2010 creates a file called AV.EXE in the folder Local Settings\Application Data of the Documents and Settings directory of the user that has logged in.

AntivirusXP2010 creates the following entries in the Windows Registry:

HKEY_CURRENT_USER\Software\Classes\secfile
HKEY_CURRENT_USER\Software\Classes\secfile\DefaultIcon
HKEY_CURRENT_USER\Software\Classes\secfile\shell
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command
HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas
HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas\command
HKEY_CURRENT_USER\Software\Classes\secfile\shell\start
HKEY_CURRENT_USER\Software\Classes\secfile\shell\start\command
HKEY_CLASSES_ROOT\secfile
HKEY_CLASSES_ROOT\secfile\DefaultIcon
HKEY_CLASSES_ROOT\secfile\shell
HKEY_CLASSES_ROOT\secfile\shell\open
HKEY_CLASSES_ROOT\secfile\shell\open\command
HKEY_CLASSES_ROOT\secfile\shell\runas
HKEY_CLASSES_ROOT\secfile\shell\runas\command
HKEY_CLASSES_ROOT\secfile\shell\start
HKEY_CLASSES_ROOT\secfile\shell\start\command

AntivirusXP2010 modifies the following Windows Registry entry, so that whenever Internet Explorer is run, the file belonging to the fake antivirus program is run at the same time as the corresponding file:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command
(Default) =
It changes this entry to:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command
(Default) = C:\Documents and Settings\%username%\Local Settings\Application data\av.exe /START C:\Program Files\Internet Explorer\iexplore.exe
where %username% is the username of the user that has logged in.

Means of transmission

AntivirusXP2010 can reach the computer when the user accesses certain websites which display banners or pop-up windows which lead to the download of this program. It can also reach the computer via spam messages, fraudulent websites, etc.

Email messages that seem to contain a postcard have been detected to distribute AntivirusXP2010.

It reaches in a message like the following:

Message containing AntivirusXP2010

The message seems to have been sent by a member of your family through a legal website to download and send postcards, so that users don't suspect. In order to view the postcard, users have to open the attached file. It’s a file compressed with zip and if it is run, a rogueware program will be installed in the computer, whose name will be different depending on the operating system installed on the computer.