You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

SysinternalsAntivirus

 
Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

SysinternalsAntivirus is an adware program that attempts to deceive users by using a known name to be called, like Sysinternals, whose owner is Microsoft.

Once installed, prevents users from working with the computer properly, as it does not allow the files with an EXE extension to be run. In fact, when any of these files is run, a message like the following is displayed informing users that this file is infected:

Message displayed by SysinternalsAntivirus.

Additionally, it carries out the following actions, which are common of this type of fake antivirus programs:

  • It reaches the computer in a file with the following icon:

    Icon of SysinternalsAntivirus
  • When it is run and installed, the interface of the program is displayed and starts scanning the system in search for possible malware:

    Interface of SysinternalsAntivirus
  • Once finished, it displays a warning message informing users that the program has found infected programs and documents in the computer:

    Alert message displayed by SysinternalsAntivirus
  • If users decide to repair these files, the program will require them to register the license of the fake antivirus program and then they will be redirected to the website where the product can be purchased:

    Registration of SysinternalsAntivirus
  • If, on the contrary, they decide not to follow the program's instructions, different annoying messages will be displayed in order to make them think that their computer is really infected.
  • Some of the messages that are displayed on screen are like the following:

    - Security alert messages:

    Alert messages displayed by SysinternalsAntivirus

    - It also display a message that seems to be from the Windows Security Center in order to warn users that no antivirus has been found in the computer.

Infection strategy 

SysinternalsAntivirus creates a directory called Sysinternals Antivirus in the Program Files directory and a group of programs in the Start menu with the same name.

SysinternalsAntivirus creates the following files:

  • SYSINTERNALS ANTIVIRUS.EXE, which is a copy of itself, in the folder Sysinternals Antivirus of the Program Files directory.
  • ALGGUI.EXE, SVCHOST.EXE, WPP.EXE, ADC_W32.DLL, WP3.DAT, WP4.DAT, NUAR.OLD and SKYNET.DAT, in the Program Files directory.
  • SYSINTERNALS ANTIVIRUS.LNK, in the Desktop. This file is a shortcut to the program:

    Shortcut to Sysinternals Antivirus

 

SysinternalsAntivirus creates the following entries in the Windows Registry:

  • HKEY_CURRENT_USER\Software\Sysinternals Antivirus
  • HKEY_CLASSES_ROOT\CLSID\{149256D5-E103-4523-BB43-2CFB066839D6}
    By creating this entry, SysinternalsAntivirus registers itself as a BHO (Browser Helper Object). This way, it can monitor the websites accessed by the user.
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdbUpd

 

SysinternalsAntivirus modifies the following Windows Registry entry, so that whenever a file with an EXE extension is run, the file belonging to the fake antivirus program is run instead of the corresponding file:

  • HKEY_CLASSES_ROOT\exefile\shell\open\command
    (Default) = "%1" %*
    It changes this entry to:
    HKEY_CLASSES_ROOT\exefile\shell\open\command
    (Default) = C:\Program Files\alggui.exe "%1" %*

Means of transmission 

SysinternalsAntivirus can reach the computer when the user accesses certain websites which display banners or pop-up windows which lead to the download of this program. It can also reach the computer in a link that can be received via spam messages, fraudulent websites, etc.

Further Details  

SysinternalsAntivirus is 13,849,600 bytes in size.