Active Scan. Scan your PC free
Premium Services
Premium Services

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.


Threat LevelLow threatDamageHighDistributionNot widespread


RedCrossAntivirus carries out the following actions:

  • When it is run, it connects to the website http://85.231.174/inst.php?id= and the program starts its installation.
  • The following images belong to the installation process:

    - The installation begins:

    Installation window of RedCrossAntivirus

    - The license agreement:

    Installation window of RedCrossAntivirus

    - Installation finished:

    Installation window of RedCrossAntivirus
  • Once it is installed, it displays a warning message to remind users that their computer is not protected and that the antivirus program is a trial version:

    Warning message displayed by RedCrossAntivirus
  • If users click on the message, the antivirus program starts loading, as can be seen in the following image:

    RedCrossAntivirus loading
  • Once loaded, it starts scanning the system in search for possible malware:

    Scan carried out by RedCrossAntivirus
  • The results of the scan shows that infected files have been detected in the computer.
  • If users decide to remove them, they will be redirected to the website where the fake antivirus program can be purchased.

    Website to purchase RedCrossAntivirus

Infection strategy 

RedCrossAntivirus creates the following files:

  • ANTISPY.EXE in the folder Application Data of the Documents and Settings directory of the user that has logged in.
  • LSDKASJ.BAT, in the folder Local Settings\Temp of the Documents and Settings directory of the user that has logged in.


RedCrossAntivirus creates the following entries in the Windows Registry:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    Shell = C:\Documents and Settings\Application Data\
    where %username% is the username of the user that has logged in.
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    By creating these entries, RedCrossAntivirus ensures that it is run whenever Windows is started.

Means of transmission 

RedCrossAntivirus can reach the computer when the user accesses certain websites which display banners or pop-up windows which lead to the download of this program. It can also reach the computer in a link that can be received via spam messages, fraudulent websites, etc.

Further Details  

RedCrossAntivirus is 560,640 bytes in size.