F-Secure Hoax Information Pages : Avgold.D [Summary] | [Detailed Description] Name: Avgold.D Alias: not-virus:Hoax.Win32.Avgold.d Category: Hoax Summary The Avgold hoax program shows fake security warnings in order to make a user go to the certain website. Detailed Description When run, this program copies itself as HOOKDUMP.EXE file to Windows System folder and then creates a startup key for that file in the Registry: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Intel system tool"="%WinSysDir%\hookdump.exe" where %WinSysDir% represents Windows System folder name. Then the program extracts and HTML file called SCREEN.HTML and puts it on Windows Desktop. As a result the desktop will look like that: In addition the program creates an icon in System Tray and periodically displays a popup there: All the claims that the program does using the webpage and a popup are false and are only aimed to make a user click on "Removal Instructions" link. The link points to the www.antivirus-gold.com website. Back to the Top Write-up: Alexey Podrezov; July 14th, 2005; F-Secure Corporation