Effects
AVSecuritySuite is an adware program that attempts to deceive users passings itself off as a legitimate antivirus program.
Once installed, it prevents users from working with the computer properly, as it does not allow the files with an EXE extension to be run. In fact, when any of these files is run, a message like the following is displayed informing users that this file is infected.
Additionally, it carries out the following actions, which are common of this type of fake antivirus programs:
- It reaches the computer in a file with the following icon:
- When it is run, after a while, a pop-up message like the following is displayed imitating a Windows Security Alert:
- Then, the interface of the program is displayed and starts scanning the system in search for possible malware:
- During the scan, users can see how the files of the computer are being scanned, but the malware it detects is false.
- Once finished, it displays a warning message informing users that their computer is infected:
- If users decide to disinfect their computer with this program, a message will be displayed informing them that it is a trial version and that in order to remove these threats, they have to purchase the full version of the program:
- Then, they will be redirected to the website where the product can be purchased:
- If, on the contrary, they decide not to follow the program's instructions, different annoying messages will be displayed in order to make them think that their computer is really infected.
- For example, like the following:
Infection strategy
AVSecuritySuite creates a random directory in Local Settings\Application Data of the Documents and Settings directory of the user that has logged in.
AVSecuritySuite creates a random file with an EXE extension in the random directory created by the program.
AVSecuritySuite creates the following entries in the Windows Registry:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
%random% = C:\Documents and Settings\%usuario%\Local Settings\Application Data\%random folder%\%random file%.exe
By creating this entry, AVSecuritySuite ensures that it is run whenever Windows is started. - HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download
RunInvalidSignatures = 1
It enables the execution of files with invalid signatures. - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
LowRiskFileTypes = .exe - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
SaveZoneInformation = 1
By creating these entries, AVSecuritySuite labels the files with an EXE extension as low risk. - HKEY_CURRENT_USER\Software\AVSuitE
AVSecuritySuite modifies the following Windows Registry entries in order to change the Internet security settings:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
DefaultConnectionSettings - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings - HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter
Enabled = 1 or 2
It changes this entry to:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter
Enabled = 0
It disables the phishing filter of Internet Explorer 7. - HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter
EnabledV8 = 1 or 2
It changes this entry to:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter
EnabledV8 = 0
It disables the phishing filter of Internet Explorer 8.
Means of transmission
AVSecuritySuite can reach the computer when the user accesses certain websites which display banners or pop-up windows which lead to the download of this program. It can also reach the computer in a link that can be received via spam messages, fraudulent websites, etc.
Further Details
AVSecuritySuite is 282,368 bytes in size.