Thursday, September 16, 2010

AnVi.FakeCog

AnVi.FakeCog is a rogue security product that pretends to find malicious code on a victim’s machine in order to frighten him or her into purchasing this useless application. This rogue is downloaded after the TDss Rootkit has infected a computer. After installation it attempts to remove MalwareBytes anti-malware protection.

The main method for distribution of AnVi.FakeCog is by exploits that take advantage of a vulnerability in applications that use .pdf format files.

AnVi.FakeCog uses the rather unimaginative name “Antivirus” on its graphic interface:

(Click on graphic to enlarge)

The AnVi.FakeCog installer looks like this:

(Click on graphic to enlarge)

A machine infected with AnVi.FakeCog shows the following files:

(Click on graphic to enlarge)

Files and directories installed:

c:\Program Files\AnVi\
c:\Program Files\AnVi\about.ico
c:\Program Files\AnVi\activate.ico
c:\Program Files\AnVi\avt.db
c:\Program Files\AnVi\avt.exe
c:\Program Files\AnVi\avtext.dll
c:\Program Files\AnVi\avthook.dll
c:\Program Files\AnVi\buy.ico
c:\Program Files\AnVi\help.ico
c:\Program Files\AnVi\scan.ico
c:\Program Files\AnVi\settings.ico
c:\Program Files\AnVi\splash.mp3
c:\Program Files\AnVi\Uninstall.exe
c:\Program Files\AnVi\update.ico
c:\Program Files\AnVi\virus.mp3
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus.lnk
%UserProfile%\Desktop\Antivirus Support.lnk
%UserProfile%\Desktop\Antivirus.lnk
%UserProfile%\Desktop\nudetube.com.lnk
%UserProfile%\Desktop\pornotube.com.lnk
%UserProfile%\Desktop\spam001.exe
%UserProfile%\Desktop\spam003.exe
%UserProfile%\Desktop\troj000.exe
%UserProfile%\Desktop\youporn.com.lnk
%UserProfile%\Local Settings\Temp\wmsdk64_32.exe
%UserProfile%\Local Settings\Temp\wscsvc32.exe
%UserProfile%\Start Menu\Programs\AnVi\
%UserProfile%\Start Menu\Programs\AnVi\About.lnk
%UserProfile%\Start Menu\Programs\AnVi\Activate.lnk
%UserProfile%\Start Menu\Programs\AnVi\Antivirus Support.lnk
%UserProfile%\Start Menu\Programs\AnVi\Antivirus.lnk
%UserProfile%\Start Menu\Programs\AnVi\Buy.lnk
%UserProfile%\Start Menu\Programs\AnVi\Scan.lnk
%UserProfile%\Start Menu\Programs\AnVi\Settings.lnk
%UserProfile%\Start Menu\Programs\AnVi\Update.lnk

Registry changes:

HKEY_CURRENT_USER\Software\Malware Defense
HKEY_CURRENT_USER\Software\Paladin Antivirus
HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}
HKEY_LOCAL_MACHINE\SOFTWARE\AnVi
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Antivirus
HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Antivirus"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "wmsdk64_32.exe"

How to remove AnVi.FakeCog:

If AnVi.FakeCog has infected your pc, you should remove it immediately. Click here to use VIPRE to remove AnVi.FakeCog from your computer now.

1 comment:

  1. you know, The writers of 'AnVi' didn't encrypt a piece of code

    ReplyDelete