Softpanorama

May the source be with you, but remember the KISS principle ;-)
Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and  bastardization of classic Unix

Antivirus system pro

News

Recommended Links Spyware Spyware fighting strategy Humor Etc

An interesting part of the problem with this malware is that it blocks execution of many programs including programs you try to launch from CD/DVD in a perfect "reverse antivirus" fashion :-). It also uses fake setting in IE proxy configuration, setting proxy to localhost (that means that this malware runs proxy on the computer). In my case the port was 5555. Using this port you actually can detect which program is used as a proxy via netstat.

When the windows screen first appears, hit ctrl-alt-del. This gives you the task manager. Then search for the program with name ending with "guard", for example xylbsguard.exe and kill it.

When you stop this program you combine use of Microsoft Security Essentials tool (free Av tool from Microsoft) with some more specific tool. For example instructions on how remove it Remove Antivirus System Pro (Uninstall Guide), recommend program Malwarebytes' Anti-Malware. It works OK but like virus is difficult to remove ;-)

The key here to understand that you are probably dealing with combination of infections of which Antivirus Pro is just one component which were injected when you his some rogue Web site (often of Eastern European origin). Additional components might include Alureon.F, Hotbar, Renos.KS, Renos.JW, Bravine.A, etc. Of them Alureon looks pretty disturbing:

Win32/Alureon is a family of data-stealing Trojans. These Trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. The Win32/Alureon Trojan may also allow an attacker to transmit malicious data to the infected computer. The Trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. Therefore it may be necessary to reconfigure DNS settings after the Trojan is removed from the computer.

As Antivirus Pro installs a proxy on the computer after killing *guard.exe process in memory you can run AV programs from a CD.

Of course restoring from a clean Ghost or Maxblast/Acronis True Image  image, is a better way to spend your time then playing Sherlock Holmes with some unknown, probably Eastern European jerks.

Good analysis can be found at:

  1. Encyclopedia entry TrojanWin32-FakeScanti - Learn more about malware - Microsoft Malware Protection Center
  2. Win32-WindowsAntivirusPro Family - CA

Looks like the latest version of Windows Defender can be affective again this malware too.

Old News

Win32-WindowsAntivirusPro Family - CA

Date Published:
21 Aug 2009

Last Updated:
23 Aug 2009

Characteristics

Description

Win32/WindowsAntivirusPro is rogue security software that displays deceptive information about the infected system. It also blocks access to the infected system by terminating processes not included in its predefined list. This trojan is commonly known as "Windows Antivirus Pro".

Method of Infection

To the unsuspecting user, Windows Antivirus Pro appears to be a legitimate program. The image below shows its Graphical User Interface.
 


 

Upon execution, Win32/WindowsAntivirusPro drops the following component files:

%System%\dddesot.dll
%System%\desot.exe
%System%\bennuar.old
%System%\sysnet.dat
%Windows%\svchast.exe
%Windows%\ppp3.dat
%Windows%\ppp4.dat
<Path trojan is executed from>\tmp\dbsinit.exe
<Path trojan is executed from>\tmp\images

It also registers its component file SVCHAST.EXE as a service named "AntipPro2009_12"

HKLM\SYSTEM\CurrentControlSet\Services\AntipPro2009_12\Type = dword:00000010
HKLM\SYSTEM\CurrentControlSet\Services\AntipPro2009_12\Start = dword:00000002
HKLM\SYSTEM\CurrentControlSet\Services\AntipPro2009_12\ErrorControl = dword:00000001
HKLM\SYSTEM\CurrentControlSet\Services\AntipPro2009_12\ImagePath = %Windows%\svchast.exe
HKLM\SYSTEM\CurrentControlSet\Services\AntipPro2009_12\DisplayName ="AntipyPro_12"
HKLM\SYSTEM\CurrentControlSet\Services\AntipPro2009_12\ObjectName = "LocalSystem"

Notes: '%Windows%' and %System% are variable locations.

The malware determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95, 98 and ME is C:\Windows\System; and for XP and Vista is C:\Windows\System32.

The component file DESOT.EXE is used to intercept executable files run on the system. Win32/WindowsAntivirusPro adds the registry keys below to monitor these files:

HKCR\exefile\shell\open\command\@=%system%\desot.exe "%1" %*"
HKLM\SOFTWARE\Classes\exefile\shell\open\command\@=%system%\desot.exe "%1" %*"

It also creates the following registry key as part of its installation:

HKCU\Software\Windows Antivirus Pro

Payload

Blocks Execution of Programs
The component file DESOT.EXE only allows the following files to be executed:
Adds Browser Helper Object
In order to monitor internet browsing activity of the user, Win32/WindowsAntivirusPro registers a component file as a Browser Helper Object (BHO). It adds the following registry keys and names the malicious component "ICQSys (IE PlugIn)"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F54AF7DE-6038-4026-8433-CC30E3F17212}
HKCR\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212}\@="ICQSys (IE PlugIn)"
HKCR\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212}\InprocServer32\@="%system%\dddesot.dll"
HKLM\SOFTWARE\Classes\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212}\@="ICQSys (IE PlugIn)"
HKLM\SOFTWARE\Classes\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212}\InprocServer32\@="%system%\dddesot.dll"

Displays Fake Warnings

Win32/WindowsAntivirusPro displays the following fake warnings on the infected system.

 


 


 


 


 


For additional information:
Creates Mutex

Win32/WindowsAntivirusPro creates the mutex "234sdfsfsdf___sys23".

Connects to Domains

It connects to any of the following domains:

core2604.racman-xc
core2606.racman-xc
core2611.racingnmn-mnm
core2634.racing-wtf
core2635.racing-wtf
core2617.racingmoney-0110
core2623.racingmoney-0110
core2668.rubimbablo
core2672.rubimbablo
moneyracing.ru

Analysis by Zarestel Ferrer

[Jan 15, 2010] Useful materials

Recommended Links



Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D


Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to to buy a cup of coffee for authors of this site

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March 23, 2010