Published:
March 04 2009, 01:01 AM
by
Zarestel Ferrer
This particular rogue software has been around since January 2009, and we’re currently seeing a significant number of downloader programs connected to this fake anti-virus. The image below shows what ‘Antivirus XP Pro’ looks like when it is installed on a system. Typical of a Win32/FakeAV trojan, it reports a number of fake threats detected on your system:
It also modifies the desktop wallpaper to display the following image:
which contains this message:
Warning
Dangerous Spyware
Many viruses were found on your computer such as : Trojan horse, PassCapture, etc
Your personal information can fall into in the “third hands”.
Please check up the computer with a special software.
Thank
Downloader families like Win32/Donloz, Win32/FakeAVDl and Win32/SillyDl are responsible for the distribution of these Win32/FakeAV variants. Variants of these families can install a couple of component files on the compromised system to scare the user into installing the fake security software. This malware also has some tricks and schemes to lure a user into downloading ‘Antivirus XP Pro’.
For example, when you use an affected system to browse to your favorite website, let’s say www.ca.com, you’ll get the web page below containing the message:
Too many errors and faults WERE found in your system. Possibly that IT WAS THE RESULT of virus attack.YOU MUST scan your system.
You may also get the following scary warnings:
Warning! Your system is in danger. YOUR COMPUTER IS IN need OF full scanning.
ERROR! Connection was RESET by remote server. This can be a reason for system faults, errors or critical data corruption. To prevent your critical data loss please do the full system scanning!
All the messages point to a website hosting the Win32/FakeAV ‘Antivirus XP Pro’ variant.
Every time an affected system accesses a website, the component file "ntdll64.dll" (detected as a Win32/SillyBHO variant) contacts another website, which in this case is "onlinenotify.net", to retrieve the error messages to display at the top of every web page. Below you can see that the malware component file is a module of the web browser process being used, "firefox.exe".
The capture below illustrates the sequence of HTTP access on an affected system. We can see that a call to "onlinenotify.net" is being made as we access the website.
A packet capture on this activity shows the source of the message inserted at the top of every web page – it is linked to the rogue ‘AntivirusXP Pro’ website.
Avoid this malware by only installing trusted software from trusted distributions. In addition, please keep your software patched and updated.
Happily for our customers, CA detects ‘AntivirusXP Pro’, and removes the files and registry keys associated with this rogue software.