Welcome to the Virus Encyclopedia of Panda Security.
SysinternalsAntivirus is an adware program that attempts to deceive users by using a known name to be called, like Sysinternals, whose owner is Microsoft.
Once installed, prevents users from working with the computer properly, as it does not allow the files with an EXE extension to be run. In fact, when any of these files is run, a message like the following is displayed informing users that this file is infected:
Additionally, it carries out the following actions, which are common of this type of fake antivirus programs:
- It reaches the computer in a file with the following icon:
- When it is run and installed, the interface of the program is displayed and starts scanning the system in search for possible malware:
- Once finished, it displays a warning message informing users that the program has found infected programs and documents in the computer:
- If users decide to repair these files, the program will require them to register the license of the fake antivirus program and then they will be redirected to the website where the product can be purchased:
- If, on the contrary, they decide not to follow the program's instructions, different annoying messages will be displayed in order to make them think that their computer is really infected.
- Some of the messages that are displayed on screen are like the following:
- Security alert messages:
- It also display a message that seems to be from the Windows Security Center in order to warn users that no antivirus has been found in the computer.
SysinternalsAntivirus creates a directory called Sysinternals Antivirus in the Program Files directory and a group of programs in the Start menu with the same name.
SysinternalsAntivirus creates the following files:
- SYSINTERNALS ANTIVIRUS.EXE, which is a copy of itself, in the folder Sysinternals Antivirus of the Program Files directory.
- ALGGUI.EXE, SVCHOST.EXE, WPP.EXE, ADC_W32.DLL, WP3.DAT, WP4.DAT, NUAR.OLD and SKYNET.DAT, in the Program Files directory.
- SYSINTERNALS ANTIVIRUS.LNK, in the Desktop. This file is a shortcut to the program:
SysinternalsAntivirus creates the following entries in the Windows Registry:
- HKEY_CURRENT_USER\Software\Sysinternals Antivirus
By creating this entry, SysinternalsAntivirus registers itself as a BHO (Browser Helper Object). This way, it can monitor the websites accessed by the user.
SysinternalsAntivirus modifies the following Windows Registry entry, so that whenever a file with an EXE extension is run, the file belonging to the fake antivirus program is run instead of the corresponding file:
(Default) = "%1" %*
It changes this entry to:
(Default) = C:\Program Files\alggui.exe "%1" %*
Means of transmission
SysinternalsAntivirus can reach the computer when the user accesses certain websites which display banners or pop-up windows which lead to the download of this program. It can also reach the computer in a link that can be received via spam messages, fraudulent websites, etc.
SysinternalsAntivirus is 13,849,600 bytes in size.