F-Secure
Tools
Rogue:W32/XPAntivirus.gen!I
Summary
Deceptive antivirus software that pressures users into buying or installing it (e.g., infecting a computer; displaying false or alarming warnings or scanning results). Once installed, it may not function as claimed.
Disinfection
Removal Tool
F-Secure Easy Clean is a free removal tool that finds and removes many of the threats detected by our Response Lab. The tool is available here.
Automatic Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
F-Secure Easy Clean is a free removal tool that finds and removes many of the threats detected by our Response Lab. The tool is available here.
Automatic Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
Details
File System Changes
Creates these files:
- %programfiles%\AntivirusXP\AntivirusXP.exe
- %desktop%\AntivirusXP.lnk
- %startmenuprograms%\AntivirusXP\AntivirusXP.lnk
- %appdata%\Microsoft\Internet Explorer\Quick Launch\AntivirusXP.lnk
- %temp%\stylrit0.tmp
Create these directories:
- %programfiles%\AntivirusXP
- %programfiles%\AntivirusXP\Suspicious
- %programfiles%\AntivirusXP\Infected
- %startmenuprograms%\AntivirusXP
Registry Modifications
Sets these values:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Programs = C:\Documents and Settings\user\Start Menu\Programs - HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Start Menu = C:\Documents and Settings\user\Start Menu - HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Common Start Menu = C:\Documents and Settings\All Users\Start Menu - HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
My Pictures = C:\Documents and Settings\user\My Documents\My Pictures - HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
CommonPictures = C:\Documents and Settings\All Users\Documents\My Pictures - HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
CommonMusic = C:\Documents and Settings\All Users\Documents\My Music - HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
CommonVideo = C:\Documents and Settings\All Users\Documents\My Videos - HKCU\Software\Microsoft\Windows\CurrentVersion\Run
AntivirusXP.exe = C:\Program Files\AntivirusXP\AntivirusXP.exe
[Launchpoint: Run]
Creates these keys:
- HKCU\Software\AntivirusXP
- HKLM\Software\AntivirusXP
Additional Details
Rogue:W32/Antiviruspro.gen!I is a Generic Detection for a family of rogue antivirus programs.
Execution
On execution, this rogueware will display a false antivirus scanner window and run a "scan" that will find non-existent malware on the system:
It will then direct user to pay for a "registered version" to clean the malware.
It will also periodically display a warning message on the system tray:
Execution
On execution, this rogueware will display a false antivirus scanner window and run a "scan" that will find non-existent malware on the system:
It will then direct user to pay for a "registered version" to clean the malware.
It will also periodically display a warning message on the system tray: