You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Download Cloud Antivirus Gratis

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

AVSecuritySuite

Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

AVSecuritySuite is an adware program that attempts to deceive users passings itself off as a legitimate antivirus program.

Once installed, it prevents users from working with the computer properly, as it does not allow the files with an EXE extension to be run. In fact, when any of these files is run, a message like the following is displayed informing users that this file is infected.

 

Additionally, it carries out the following actions, which are common of this type of fake antivirus programs:

  • It reaches the computer in a file with the following icon:

    Icon of AVSecuritySuite
  • When it is run, after a while, a pop-up message like the following is displayed imitating a Windows Security Alert:

    Message simulating a Windows Security Alert
  • Then, the interface of the program is displayed and starts scanning the system in search for possible malware:

    Scan carried out by AVSecuritySuite
  • During the scan, users can see how the files of the computer are being scanned, but the malware it detects is false.
  • Once finished, it displays a warning message informing users that their computer is infected:

    Alert message displayed by AVSecuritySuite
  • If users decide to disinfect their computer with this program, a message will be displayed informing them that it is a trial version and that in order to remove these threats, they have to purchase the full version of the program:

    Registration of AVSecuritySuite
  • Then, they will be redirected to the website where the product can be purchased:

    Website where the program can be purchased
  • If, on the contrary, they decide not to follow the program's instructions, different annoying messages will be displayed in order to make them think that their computer is really infected.
  • For example, like the following:

    Alert message displayed by AVSecuritySuite

Infection strategy 

AVSecuritySuite creates a random directory in Local Settings\Application Data of the Documents and Settings directory of the user that has logged in.

AVSecuritySuite creates a random file with an EXE extension in the random directory created by the program.

 

AVSecuritySuite creates the following entries in the Windows Registry:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    %random% = C:\Documents and Settings\%usuario%\Local Settings\Application Data\%random folder%\%random file%.exe
    By creating this entry, AVSecuritySuite ensures that it is run whenever Windows is started.
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download
    RunInvalidSignatures = 1

    It enables the execution of files with invalid signatures.
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
    LowRiskFileTypes = .exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
    SaveZoneInformation = 1

    By creating these entries, AVSecuritySuite labels the files with an EXE extension as low risk.
  • HKEY_CURRENT_USER\Software\AVSuitE

 

AVSecuritySuite modifies the following Windows Registry entries in order to change the Internet security settings:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    DefaultConnectionSettings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    SavedLegacySettings
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter
    Enabled = 1
     or 2
    It changes this entry to:
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter
    Enabled = 0

    It disables the phishing filter of Internet Explorer 7.
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter
    EnabledV8 = 1
     or 2
    It changes this entry to:
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter
    EnabledV8 = 0

    It disables the phishing filter of Internet Explorer 8.

Means of transmission 

AVSecuritySuite can reach the computer when the user accesses certain websites which display banners or pop-up windows which lead to the download of this program. It can also reach the computer in a link that can be received via spam messages, fraudulent websites, etc.

Further Details  

AVSecuritySuite is 282,368 bytes in size.