Fake (or rogue) security applications have been a cause of confusion and problems for users for some years. These applications generally display fake warnings and malware detections in order to entice users to buy the application and thus ‘disinfect’ their system. Over time, the mechanisms used to avoid detection and distribute these applications have become more complex - code obfuscation is now common, and botnets are utilized for widespread distribution.
Win32/Antivirusxp is one of these rogues, and it may get to your machine through multiple channels - including via spam that impersonates major online news services (for example the CNN Top 10 and MSNBC).
Figure 1. Infection Chain A
Figure 2. Infection Chain B
Like many other fake security programs the Antivirusxp rogue can be downloaded by Win32/Renos, directly installed from the product distributor’s website or the websites of their affiliates, or it can be installed by tricking users into clicking on links in spam e-mail.
Figure 1 shows a simplified channel of infection where, for example, a user gets spammed, clicks on a link in the spammed e-mail and then gets infected with Win32/Renos, which in turn installs Win32/Antivirusxp onto the system.
Figure 2 shows another infection channel with additional components and complexity. Taking the real life example of the CNN Top 10 or MSNBC incidents, the user is initially exposed to trojan downloaders like Win32/Cbeplay via spam. Win32/Cbeplay drops a botnet agent (such as Win32/Rustock, or Win32/Srizbi) and Win32/Renos variants, which in turn download Win32/Antivirusxp.
This clarifies why in many situations where Win32/Antivirusxp has been found in a system, Win32/Rustock (or Win32/Srizbi) and Win32/Renos were also present. Generally, Renos has been distributed with the specific intention of showing fake alerts and then downloading fake security applications. The components in the infection chain that results in the installation of Win32/Antivirusxp are pretty integrated and the relationship between Win32/Renos and Win32/Antivirusxp is symbiotic, which is examined below.
Once Renos infects the system a few things may happen:
- After a short delay, the desktop background is changed to display an image that is carried by Renos; the image shows a fake warning.
Figure 3. Desktop Background Warning
- A copy of the Sysinternals BSOD (Blue Screen Of Death) screensaver is often dropped to the system directory and is set as an active screensaver
- Temp folders, like tt1 or tt2.tmp, are created.
If there is an active Internet connection, Renos then attempts to download and install the Antivirusxp rogue. There is no user interaction in this infection chain. The file Renos downloads, after connecting to Antivirusxp-related domains, is an image file which has the Antivirusxp rogue installer appended. The installer is distributed encrypted. It is decrypted by Renos, saved in the tmp folders previously created, and then executed. The installer is encrypted in such a manner that only Renos is able to perform the decryption.
Once the Antivirusxp rogue gets in the system, either through the above mentioned infection channels or by being installed manually, it creates a randomly named folder and drops the main executable as a randomly named file in this folder. It also drops another component that is used to show fake alerts and promote the fake application’s ability to ‘remove’ these fictional threats. Finally, it deletes the installer from the system.
Figure 4. Screenshot of Antivirusxp Rogue
When talking about rogues Win32/Renos has a long history of downloading and dropping AV rogues through drive by. One variant of Win32/Renos, TrojanDownloader:Win32/Renos.gen!AQ, brought to our attention during recent MSRT releases, was found to be responsible for a large volume of Win32/Antivirusxp installations. During the first two weeks of MSRT September release, 148,111 unique machines were cleaned of this particular Renos infection.
Fake security applications have always been good at confusing end-users. Win32/Antivirusxp is no different in that respect, and with names such as Antivirus2008, XPAntivirus, Windows Antivirus, Antivirus 2008 XP, confusion is hard to avoid.
Rather than going into similarities, it is better to look specifically at Win32/Antivirusxp and find out if any easily identifiable and unique behavior is present. Most fake security applications as mentioned already, may have fewer dependencies on Renos or other similar trojan downloaders. When installed without user interaction Win32/Antivirusxp is dependent on Renos to decrypt its installer. The following two characteristics, displayed by Win32/Antivirusxp, are not typically observed in other rogues:
- Creation of randomly named folder and main executable file
- Self-deleting Antivirusxp installer
Rogue Antivirus programs have grown significantly of late. They generate misleading alerts and false detections in order to convince users to purchase rogue security software - from Win32/Antivirusxp to Program:Win32/Fakerednefed and now Win32/Antivirusxp. These rogues have caused dramatic disruption for both end users and businesses. It is strongly suggested that you deploy a full AV product for your business or personal computers. At a minimum, if you believe your machine is affected by malicious software or potentially unwanted software we recommend you run our freely available online scanner at http://safety.live.com. You can also get free virus-related assistance from Microsoft through Microsoft Help and Support. And as usual if you identify rogues that you believe we are not detecting, please submit a sample to us through our portal.
-- Subratam Biswas and Scott Wu