F-Secure
Tools
Rogue:W32/XPAntivirus.gen!I
| Name : | Rogue:W32/XPAntivirus.gen!I |
| Category: | Malware |
| Type: | Rogue |
| Platform: | W32 |
Summary
Deceptive antivirus software that pressures users into buying or installing it (e.g., infecting a computer; displaying false or alarming warnings or scanning results). Once installed, it may not function as claimed.
Disinfection
Removal Tool
F-Secure Easy Clean is a free removal tool that finds and removes many of the threats detected by our Response Lab. The tool is available here.
Automatic Disinfection
Starting from F-Secure Anti-Virus (FSAV) version 5.40, standalone malware (backdoors, worms, trojans, etc.) is automatically removed. FSAV automatically renames malware files to prevent them from being executed.
In rare cases, automatic disinfection is not possible and the user must instruct FSAV to perform disinfection (renaming and/or deleting the infected file).
In special cases, the user is recommended to perform disinfection using specific tools provided by F-Secure. The tools can be downloaded from:
- ftp://ftp.f-secure.com/anti-virus/tools/
- http://www.f-secure.com/download-purchase/tools.shtml
In some cases F-Secure Anti-Virus may not automatically disinfect a system. If so, please visit our Support pages at:
- http://support.f-secure.com/enu/home/virusproblem/howtoclean/
Windows System Restore Issues
If the computer is running on the Windows ME or XP operating systems, disabling the System Restore feature before disinfection is recommended. This is to avoid possible re-infection by a threat that has just been disinfected, as the System Restore feature may have unknowingly saved a copy of the infected file during its normal procedures. If the System Restore feature is active, it may then copy the infected file back to the hard drive after the user or an antivirus program has renamed or deleted it.
Instructions on how to disable the System Restore feature are here:
- Windows ME: http://www.f-secure.com/v-descs/sfc_dis.shtml
- Windows XP: http://www.f-secure.com/v-descs/sfc_dis1.shtml
Once disinfection is complete, re-enabling the System Restore feature is recommended. This will allow the user to restore the system to a stable configuration in the event that a crash or incompatibility issue occurs in the future.
F-Secure Anti-Virus
F-Secure Anti-Virus can be purchased from our online web store or from authorized distributors. A 30-day limited trial verson of F-Secure Anti-Virus may be downloaded from our website:
- http://www.f-secure.com/download-purchase/
All the latest versions of FSAV can automatically download the latest signature database updates. These updates can also be manually downloaded and installed from our web or ftp sites:
- http://www.f-secure.com/download-purchase/updates.shtml
Contacting F-Secure for help
If you have problems with disinfection, please consult a computer technician or send a message (and a sample) to our Response Lab. We have guidelines for sending virus samples, hoaxes and virus-related questions to F-Secure Response Lab published here:
- http://support.f-secure.com/enu/home/virusproblem/sample/
F-Secure Easy Clean is a free removal tool that finds and removes many of the threats detected by our Response Lab. The tool is available here.
Automatic Disinfection
Starting from F-Secure Anti-Virus (FSAV) version 5.40, standalone malware (backdoors, worms, trojans, etc.) is automatically removed. FSAV automatically renames malware files to prevent them from being executed.
In rare cases, automatic disinfection is not possible and the user must instruct FSAV to perform disinfection (renaming and/or deleting the infected file).
In special cases, the user is recommended to perform disinfection using specific tools provided by F-Secure. The tools can be downloaded from:
- ftp://ftp.f-secure.com/anti-virus/tools/
- http://www.f-secure.com/download-purchase/tools.shtml
In some cases F-Secure Anti-Virus may not automatically disinfect a system. If so, please visit our Support pages at:
- http://support.f-secure.com/enu/home/virusproblem/howtoclean/
Windows System Restore Issues
If the computer is running on the Windows ME or XP operating systems, disabling the System Restore feature before disinfection is recommended. This is to avoid possible re-infection by a threat that has just been disinfected, as the System Restore feature may have unknowingly saved a copy of the infected file during its normal procedures. If the System Restore feature is active, it may then copy the infected file back to the hard drive after the user or an antivirus program has renamed or deleted it.
Instructions on how to disable the System Restore feature are here:
- Windows ME: http://www.f-secure.com/v-descs/sfc_dis.shtml
- Windows XP: http://www.f-secure.com/v-descs/sfc_dis1.shtml
Once disinfection is complete, re-enabling the System Restore feature is recommended. This will allow the user to restore the system to a stable configuration in the event that a crash or incompatibility issue occurs in the future.
F-Secure Anti-Virus
F-Secure Anti-Virus can be purchased from our online web store or from authorized distributors. A 30-day limited trial verson of F-Secure Anti-Virus may be downloaded from our website:
- http://www.f-secure.com/download-purchase/
All the latest versions of FSAV can automatically download the latest signature database updates. These updates can also be manually downloaded and installed from our web or ftp sites:
- http://www.f-secure.com/download-purchase/updates.shtml
Contacting F-Secure for help
If you have problems with disinfection, please consult a computer technician or send a message (and a sample) to our Response Lab. We have guidelines for sending virus samples, hoaxes and virus-related questions to F-Secure Response Lab published here:
- http://support.f-secure.com/enu/home/virusproblem/sample/
Details
File System Changes
Creates these files:
• %programfiles%\AntivirusXP\AntivirusXP.exe
• %desktop%\AntivirusXP.lnk
• %startmenuprograms%\AntivirusXP\AntivirusXP.lnk
• %appdata%\Microsoft\Internet Explorer\Quick Launch\AntivirusXP.lnk
• %temp%\stylrit0.tmp
Create these directories:
• %programfiles%\AntivirusXP
• %programfiles%\AntivirusXP\Suspicious
• %programfiles%\AntivirusXP\Infected
• %startmenuprograms%\AntivirusXP
Registry Modifications
Sets these values:
• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Programs = C:\Documents and Settings\user\Start Menu\Programs
Programs = C:\Documents and Settings\user\Start Menu\Programs
• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Start Menu = C:\Documents and Settings\user\Start Menu
Start Menu = C:\Documents and Settings\user\Start Menu
• HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Common Start Menu = C:\Documents and Settings\All Users\Start Menu
Common Start Menu = C:\Documents and Settings\All Users\Start Menu
• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
My Pictures = C:\Documents and Settings\user\My Documents\My Pictures
My Pictures = C:\Documents and Settings\user\My Documents\My Pictures
• HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
CommonPictures = C:\Documents and Settings\All Users\Documents\My Pictures
CommonPictures = C:\Documents and Settings\All Users\Documents\My Pictures
• HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
CommonMusic = C:\Documents and Settings\All Users\Documents\My Music
CommonMusic = C:\Documents and Settings\All Users\Documents\My Music
• HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
CommonVideo = C:\Documents and Settings\All Users\Documents\My Videos
CommonVideo = C:\Documents and Settings\All Users\Documents\My Videos
• HKCU\Software\Microsoft\Windows\CurrentVersion\Run
AntivirusXP.exe = C:\Program Files\AntivirusXP\AntivirusXP.exe
[Launchpoint: Run]
AntivirusXP.exe = C:\Program Files\AntivirusXP\AntivirusXP.exe
[Launchpoint: Run]
Creates these keys:
• HKCU\Software\AntivirusXP
• HKLM\Software\AntivirusXP
Additional Details
Rogue:W32/Antiviruspro.gen!I is a Generic Detection for a family of rogue antivirus.
Execution
On execution, this rogueware will display a false antivirus scanner window and run a "scan" that will find non-existent malware on the system:
It will then direct user to pay for a "registered version" to clean the malware.
It will also periodically display a warning message on the system tray:
Execution
On execution, this rogueware will display a false antivirus scanner window and run a "scan" that will find non-existent malware on the system:
It will then direct user to pay for a "registered version" to clean the malware.
It will also periodically display a warning message on the system tray: