Select local site

| Japanese | Simplified Chinese | Traditional Chinese (Hong Kong) | Traditional Chinese (Taiwan)

F-Secure Riskware Information Pages: Rogue:W32/XPAntivirus
[Summary] | [Disinfection] | [Additional Details]

Name : Rogue:W32/XPAntivirus
Detection Names : Rogue:W32/XPAntiVirus
FraudTool.Win32.XPAntivirus
Type:Rogue
Category:Riskware
Platform:W32

Summary
XP Antivirus is a "rogue" security program that claims to detect and remove malicious software, but gives fake and exaggerated scan results in an attempt to trick people into purchasing the program.

This rogue program is commonly downloaded and installed via trojans without consent and even hijacks the user's desktop to display misleading and alarming messages.
Back to the Top

Disinfection

Windows System Restore can complicate disinfection. See: Disabling System Restore on Windows XP before proceeding.

The directory and file names used by XP Antivirus are generated based on a hash of the HDD serial number.

Example: rhcp1wj0e72l



Individual installation names can be determined by examining the path of the shortcut icons as in the example image.

[...] will be used to represent the directory and file names in the disinfection instructions.

Notes:
%programfiles% represents C:\Program Files
%windows% represents C:\WINDOWS
%system32% represents C:\WINDOWS\system32

Terminate Malicious Processes

  1. Open the Windows Task Manager; press Ctrl + Alt + Del and click the Task Manager button
  2. Locate the malicious file from the list of running processes, example: rhcp1wj0e72l
  3. Select the malicious process and click the End Process button
  4. Close the Task Manager.

Deleting launchpoints and other malicious entries from the registry

From the Windows Start Menu, select Run, type regedit into the "Open:" field and then click OK.

Delete the following keys if they are found:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\[...]
  • HKLM\software\[...]
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform, "AntivirXP08"

Delete the following values to disable the program from automatically running with Windows start:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion, [...]
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run, SM[...] = %programfiles%\[...]\[...].exe
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run, [...]
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run XP Antivirus = "%programfiles%\XP Antivirus\xpa.exe"

To re-enable options for the screen saver and desktop, delete the following values:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies \System, NoDispBackgroundPage
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies \System, NoDispScrSavPage

To reset the Desktop settings, the following can be deleted:

  • HKCU\Control Panel\Desktop ConvertedWallpaper
  • HKCU\Control Panel\Desktop OriginalWallpaper
  • HKCU\Control Panel\Desktop SCRNSAVE.EXE
  • HKCU\Control Panel\Desktop Wallpaper

Delete malicious files and directories

Delete the following directories and file if they exist:

  • %programfiles%\[...]\database.dat
  • %programfiles%\[...]\license.txt
  • %programfiles%\[...]\MFC71.dll
  • %programfiles%\[...]\MFC71ENU.DLL
  • %programfiles%\[...]\msvcp71.dll
  • %programfiles%\[...]\msvcr71.dll
  • %programfiles%\[...]\[...].exe
  • %programfiles%\[...]\[...].exe.local
  • %programfiles%\[...]\Uninstall.exe
  • %system32%\[...].bmp
  • %system32%\[...].exe
  • %system32%\[...].exe
  • %system32%\[...].scr
  • %windows%\Temp\.tt30.tmp.vbs
  • %windows%\Temp\.tt34.tmp.exe
  • C:\Documents and Settings\[Name]\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk
  • C:\Documents and Settings\LocalService\Application Data\[...].exe

Directories:

  • %programfiles%\[...]\
  • C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008

Some infections create the following set of files and directories, delete them if they exist:

  • %programfiles%\XP Antivirus
  • %programfiles%\XP Antivirus\xpa.exe
  • C:\Documents and Settings\[Name]\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk
  • C:\Documents and Settings\[Name]\Desktop\XP Antivirus 2008.lnk
  • C:\Documents and Settings\[Name]\Start Menu\XP Antivirus 2008
  • C:\Documents and Settings\[Name]\Start Menu\XP Antivirus 2008\Uninstall XP Antivirus 2008.lnk
  • C:\Documents and Settings\[Name]\Start Menu\XP Antivirus 2008\XP Antivirus 2008.lnk

Note: [Name] represents the local user account name.

Follow the disinfection instructions for Trojan-Downloader:W32/Exchanger if the following file exists:

  • %system32%\CbEvtSvc.exe
Back to the Top

Additional Details
XP Antivirus is a family of rogue applications. See the Rogue antispyware description for additional details.

XP Antivirus 2008 and XP Antivirus 2009 are known aliases of the same rogue family.

Rogue:W32/XPAntiVirus is distributed and installed with interfaces similar to the following:





XP Antivirus variants display the following types of warnings:







XP Antivirus variants display the following message from the System Tray:



The computer's wallpaper is changed to display the following message:



Note: All of the warning messages above were generated from a clean test machine.

Installation

Infection may occur with the following set of files installed:

The directory and file names used by XP Antivirus are generated based on a hash of the HDD serial number.

Example: rhcp1wj0e72l



A directory is created in the Program Files folder as follows:

  • C:\Program Files\[...]
  • C:\Program Files\[...]\database.dat
  • C:\Program Files\[...]\license.txt
  • C:\Program Files\[...]\MFC71.dll
  • C:\Program Files\[...]\MFC71ENU.DLL
  • C:\Program Files\[...]\msvcp71.dll
  • C:\Program Files\[...]\msvcr71.dll
  • C:\Program Files\[...]\[...].exe
  • C:\Program Files\[...]\[...].exe.local
  • C:\Program Files\[...]\Uninstall.exe

Note: [...] represents the generated directory and file names used by XP Antivirus.

Another folder is created in the Application Data folder using the same naming scheme:

  • C:\Documents and Settings\[NAME]\Application Data\[...]
  • C:\Documents and Settings\[NAME]\Application Data\[...]\Quarantine

Note: [Name] represents the account name.

Installation (XP Antivirus)

Another instance of infection may have the following set of files and directories installed:

Folders:

  • %programfiles%\XP Antivirus
  • %programfiles%\XP Antivirus\xpa.exe

Files:

  • C:\Documents and Settings\[Name]\Application Data\Microsoft\Internet Explorer\Quick Launch\XP Antivirus 2008.lnk
  • C:\Documents and Settings\[Name]\Desktop\XP Antivirus 2008.lnk
  • C:\Documents and Settings\[Name]\Start Menu\XP Antivirus 2008
  • C:\Documents and Settings\[Name]\Start Menu\XP Antivirus 2008\Uninstall XP Antivirus 2008.lnk
  • C:\Documents and Settings\[Name]\Start Menu\XP Antivirus 2008\XP Antivirus 2008.lnk

The following registry entry is added for autostart functionality:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run XP Antivirus = "%programfiles%\XP Antivirus\xpa.exe"

Additional registry entries:

  • HKEY_CURRENT_USER\Software\XP antivirus
  • HKEY_CURRENT_USER\Software\XP antivirus\Options
  • HKEY_CURRENT_USER\Software\XP antivirus\Options Aff [Data]
  • HKEY_CURRENT_USER\Software\XP antivirus\Options FirstRunUrl "http://xpantivirus.com/firstrun.php?product=%product%&aff=%aff%&update=%update%"
  • HKEY_CURRENT_USER\Software\XP antivirus\Options AfterRegisterUrl "http://xpantivirus.com/confirm.php?product=%product%&aff=%aff%&email=%email%&update=%update%&cookie_type=%cookie_type%&cookie=%cookie%"
  • HKEY_CURRENT_USER\Software\XP antivirus\Options LabelUrl [Data]
  • HKEY_CURRENT_USER\Software\XP antivirus\Options TermsUrl "http://xpantivirus.com/terms.php"
  • HKEY_CURRENT_USER\Software\XP antivirus\Options HelpURL "http://xpantivirus.com/help.php"
  • HKEY_CURRENT_USER\Software\XP antivirus\Options BillingURL "http://xpantivirus.com/license.php?Email=%email%&AffiliateID=%aff%"
  • HKEY_CURRENT_USER\Software\XP antivirus\Options BillingUrlApproved [Data]
  • HKEY_CURRENT_USER\Software\XP antivirus\Options TransactionKey [Data]
  • HKEY_CURRENT_USER\Software\XP antivirus\Options BillingRegURL "http://xpantivirus.com/order_xp.php?ver=%aff%"
  • HKEY_CURRENT_USER\Software\XP antivirus\Options BillingURL2 [Data]
  • HKEY_CURRENT_USER\Software\XP antivirus\Options BillingUrlApproved2 [Data]
  • HKEY_CURRENT_USER\Software\XP antivirus\Options SecurityVector [Data]
  • HKEY_CURRENT_USER\Software\XP antivirus\Options Scans [Data]
  • HKEY_CURRENT_USER\Software\XP antivirus\Options LastScan [Data]

Installation (Trojan-Downloader:W32/Exchanger)

XPAntivirus may also be installed by a trojan-downloader. See the Trojan-Downloader:W32/Exchanger description for additional details.

The following files are created in the computer's system directory:

  • C:\WINDOWS\system32\CbEvtSvc.exe

Note: CbEvtSvc.exe is detected as Trojan-Downloader:W32/Exchanger.

  • C:\WINDOWS\system32\[...].scr
  • C:\WINDOWS\system32\[...].exe
  • C:\WINDOWS\system32\[...].bmp
  • C:\WINDOWS\system32\[...].exe

The following directory and shortcut links are also created:

  • C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008
  • C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk

The following registry entries alter the desktop wallpaper and screensaver:

  • HKEY_CURRENT_USER\Control Panel\Desktop ConvertedWallpaper = "C:\WINDOWS\system32\[...].bmp"
  • HKEY_CURRENT_USER\Control Panel\Desktop SCRNSAVE.EXE = "C:\WINDOWS\system32\[...].scr"
  • HKEY_CURRENT_USER\Control Panel\Desktop Wallpaper = "C:\WINDOWS\system32\[...].bmp"
  • HKEY_CURRENT_USER\Control Panel\Desktop OriginalWallpaper = "C:\WINDOWS\system32\[...].bmp"

The following registry entries disable the wallpaper and screensaver options:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System NoDispBackgroundPage = dword:00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System NoDispScrSavPage = dword:00000001

Registry launchpoints used for autostart:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [...] = "C:\WINDOWS\system32\[...].exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SM[...] = "C:\Program Files\[...]\[...].exe"

Additional registry entries are also added as follows:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion [...]
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\[...]
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\[...] DisplayName = "AntivirXP08"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\[...] UninstallString = ""%programfiles%\[...]\uninstall.exe""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform AntivirXP08 "AntivirXP08"
  • HKEY_LOCAL_MACHINE\SOFTWARE\[...]
  • HKEY_LOCAL_MACHINE\SOFTWARE\[...] BuyUrl [Data]
  • HKEY_LOCAL_MACHINE\SOFTWARE\[...] BuyDiscUrl [Data]
  • HKEY_LOCAL_MACHINE\SOFTWARE\[...] domain [Data]
  • HKEY_LOCAL_MACHINE\SOFTWARE\[...] ADVid [Data]
  • HKEY_LOCAL_MACHINE\SOFTWARE\[...] @ "C:\Program Files\[...]"
  • HKEY_LOCAL_MACHINE\SOFTWARE\[...] InstallDir "C:\Program Files\[...]"
  • HKEY_LOCAL_MACHINE\SOFTWARE\[...] SoftID "AntivirXP08"
  • HKEY_LOCAL_MACHINE\SOFTWARE\[...] DatabaseVersion [Data]
  • HKEY_LOCAL_MACHINE\SOFTWARE\[...] ProgramVersion [Data]
  • HKEY_LOCAL_MACHINE\SOFTWARE\[...] EngineVersion [Data]
  • HKEY_LOCAL_MACHINE\SOFTWARE\[...] GuiVersion [Data]
  • HKEY_LOCAL_MACHINE\SOFTWARE\[...] ProxyName [Data]
  • HKEY_LOCAL_MACHINE\SOFTWARE\[...] ProxyPort [Data]
  • HKEY_LOCAL_MACHINE\SOFTWARE\[...] ScanPriority [Data]
  • HKEY_LOCAL_MACHINE\SOFTWARE\[...] DaysInterval [Data]
  • HKEY_LOCAL_MACHINE\SOFTWARE\[...] ScanDepth [Data]
  • HKEY_LOCAL_MACHINE\SOFTWARE\[...] ScanSystemOnStartup [Data]
  • HKEY_LOCAL_MACHINE\SOFTWARE\[...] AutomaticallyUpdates [Data]
  • HKEY_LOCAL_MACHINE\SOFTWARE\[...] MinimizeOnStart [Data]
  • HKEY_LOCAL_MACHINE\SOFTWARE\[...] BackgroundScan [Data]
  • HKEY_LOCAL_MACHINE\SOFTWARE\[...] BackgroundScanTimeout [Data]
  • HKEY_LOCAL_MACHINE\SOFTWARE\[...] LastTimeStamp [Data]
Back to the Top



F-Secure Corporation

Last Modified: September 02, 2008