A-FastAntivirus
Threat LevelDamageDistribution

Effects 

A-FastAntivirus is an adware program that carries out the following actions:

• It reaches the computer in a file with the following icon:
  
  
• When this file is run, the following warning is displayed, informing users that the computer is infected with spyware and recommending them to install an antispyware program. In order to be more credible, it seems that Windows will download the program:
  
  
• After a while or when users click the message, the application starts to be loaded:
• Once installed, the interface of the program is displayed and starts scanning the system in search for possible malware:
  
  
• The results, which are fake, indicate that malware has been detected in the computer, as can be seen in the messages that are displayed when the scan is finished:
  
  
• If users follow the instructions of the program and decide to eliminate these threats, they will be redirected to the website where the antivirus solution can be purchased and there they will have to enter their data:
  
  
• If, on the contrary, they decide not to follow the program's instructions, different alert warnings and messages will be displayed, reminding users the risk the computer is running:
  
  
  

Infection strategy 

A-FastAntivirus creates a directory called A-fast in the Program Files directory. In this folder it creates the file A-FAST.EXE which belongs to the main file of the program.

Additionally, it creates a file called A-FAST ANTIVIRUS.LNK in the Desktop. It is a shortcut to the program:

A-FastAntivirus creates the following entries in the Windows Registry:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  fast = C:\Program Files\A-fast\A-fast.exe
  By creating this entry, A-FastAntivirus ensures that it is automatically run whenever Windows is started.
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  DosableTaskMgr = 01, 00, 00, 00
  This file is designed to disable the Task Manager. However, due to an error (it is created with  DosableTaskMgr instead of DisableTaskMgr) it does not work.
• HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ SharedAccess\ Parameters\ FirewallPolicy\ StandardProfile\ AuthorizedApplications\ List
  C:\Program files\A-fast\A-fast.exe = C:\Program files\A-fast\A-fast.exe:*:Enabled:afast
• HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ SharedAccess\ Parameters\ FirewallPolicy\ StandardProfile\ AuthorizedApplications\List
  C:\Program files\A-fast\A-fast.exe = C:\Program files\A-fast\A-fast.exe:*:Enabled:afast
  By creating these two entries, A-FastAntivirus adds itself to the list of authorized applications by the Windows firewall.
• HKEY_CURRENT_USER\Software\A-fast\Activation
  First Start = 01, 00, 00, 00
• HKEY_CURRENT_USER\Software\A-fast\Security
  Last Scan Date = %date of the last scan carried out%
• HKEY_CURRENT_USER\Software\A-fast\Security
  Last Scan Result = %result of the last scan carried out%

Means of transmission 

A-FastAntivirus can reach the computer when the user accesses certain websites which display banners or pop-up windows which lead to the download of this program. It can also reach the computer in a link that can be received via spam messages, fraudulent websites, etc.

Further Details  

A-FastAntivirus is 979,968 bytes in size and is compressed with UPX v1.9.

Additionally, the application offers different services, like email protection and firewall, as can be seen in the following image:

Investigation carried out by Aitor Crespo.