Home > Threat descriptions >

Trojan:W32/AntiAV

Classification

Category: Malware

Type: Trojan

Aliases: Trojan:W32/AntiAV, Gen:Trojan.Heur.RP.Mq0@ayDoNAeb, Trojan.Win32.AntiAV.iup

Summary


Trojan:W32/AntiAV attempts to send information to a remote server.

Removal


Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


This malware is distributed in a RAR archive file attached to an email message.

The archive file contains an executable file which may be detected as either Gen:Trojan.Heur.RP.Mq0@ayDoNAeb or Trojan.Win32.AntiAV.iup.

Installation

The executable file uses the icon of a Microsoft Word document to appear legitimate. On execution, the malware will drop a clean Word document and open it for viewing, to further deceive the user.

Meanwhile, the malware will create a registry launchpoint so that subsequently its file will be automatically run at every Windows startup:

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run common = (path of the malware)
Network connections

Once its file is active, the malware will attempt to connect to:

  • tokyonews.edns.biz
  • tokyoIP.freewww.info

The malware may also send information to an external party by a POST to an info.php page on a remote server.