Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; AntivirXP08; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Do you see it? Right there in the middle, "AntivirXP08". What is that all about?
Some rogues modify the browser's user agent. We've seen hundreds of AntivirXP08 string variations. The modified string is possibly used to identify the affiliates responsible for the installation which drives "business" to the rogue's website.
Modified user agents could also be used deliver different content. A victim with AntivirXP08 doesn't need to be convinced to download an installer, instead they can be targeted to complete the scam and to buy the rogue.
How many infected user agents are out there? Toni examined one of our sinkholes and its April 2009 logs contained 63,000 unique IP addresses using agents that contain AntivirXP08.
63 thousand. That's a lot of infections, right? And that doesn't include other strings we've seen such as "Antimalware2009".