The main method for distribution of AnVi.FakeCog is by exploits that take advantage of a vulnerability in applications that use .pdf format files.
AnVi.FakeCog uses the rather unimaginative name “Antivirus” on its graphic interface:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfJXzVXWFSbBPzt7uscMQikCtQc1yO439d4kngsrLK6Rq_REHTzwefsO0QETSZpy5inMfYMG6GnIEqmimdCGJiEL5ur630agyHLdLNQOTcLo7Vw7lPuWnqeBAs00qOJ9WnTI4_cnnXf_A/s400/Antivirus_FakeCog_GUI.jpg)
The AnVi.FakeCog installer looks like this:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSr93udLDatN6gCp6dp4PiMauRWyKUIK9_YhGyFz-4zuKCLcPFZsidLPWVmM15vEn2Z9cRUj_y2Tjx0F8tN1__7x337ODLz1BUMDZDfa2bMvWErWBp_sZFyvwTSSfbe6bnuJSjhzSzTkw/s400/Antivirus_Installer.jpg)
A machine infected with AnVi.FakeCog shows the following files:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEpcIuDZmn9aAJdUTs2APKSImR-GaLqvGMYGY6c-m-LWWbQheHQJdKjr-cY6koaf1W5NeLCyUdjBfMZJUJ5pMxQAGSdL8nx4AynUFIM_jKOY3hkRcIk0Qdu_YzRIIsfQy04X0lRistyME/s400/Antivirus_Files.jpg)
Files and directories installed:
c:\Program Files\AnVi\
c:\Program Files\AnVi\about.ico
c:\Program Files\AnVi\activate.ico
c:\Program Files\AnVi\avt.db
c:\Program Files\AnVi\avt.exe
c:\Program Files\AnVi\avtext.dll
c:\Program Files\AnVi\avthook.dll
c:\Program Files\AnVi\buy.ico
c:\Program Files\AnVi\help.ico
c:\Program Files\AnVi\scan.ico
c:\Program Files\AnVi\settings.ico
c:\Program Files\AnVi\splash.mp3
c:\Program Files\AnVi\Uninstall.exe
c:\Program Files\AnVi\update.ico
c:\Program Files\AnVi\virus.mp3
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus.lnk
%UserProfile%\Desktop\Antivirus Support.lnk
%UserProfile%\Desktop\Antivirus.lnk
%UserProfile%\Desktop\nudetube.com.lnk
%UserProfile%\Desktop\pornotube.com.lnk
%UserProfile%\Desktop\spam001.exe
%UserProfile%\Desktop\spam003.exe
%UserProfile%\Desktop\troj000.exe
%UserProfile%\Desktop\youporn.com.lnk
%UserProfile%\Local Settings\Temp\wmsdk64_32.exe
%UserProfile%\Local Settings\Temp\wscsvc32.exe
%UserProfile%\Start Menu\Programs\AnVi\
%UserProfile%\Start Menu\Programs\AnVi\About.lnk
%UserProfile%\Start Menu\Programs\AnVi\Activate.lnk
%UserProfile%\Start Menu\Programs\AnVi\Antivirus Support.lnk
%UserProfile%\Start Menu\Programs\AnVi\Antivirus.lnk
%UserProfile%\Start Menu\Programs\AnVi\Buy.lnk
%UserProfile%\Start Menu\Programs\AnVi\Scan.lnk
%UserProfile%\Start Menu\Programs\AnVi\Settings.lnk
%UserProfile%\Start Menu\Programs\AnVi\Update.lnk
Registry changes:
HKEY_CURRENT_USER\Software\Malware Defense
HKEY_CURRENT_USER\Software\Paladin Antivirus
HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}
HKEY_LOCAL_MACHINE\SOFTWARE\AnVi
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Antivirus
HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Antivirus"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "wmsdk64_32.exe"
How to remove AnVi.FakeCog:
If AnVi.FakeCog has infected your pc, you should remove it immediately. Click here to use VIPRE to remove AnVi.FakeCog from your computer now.
you know, The writers of 'AnVi' didn't encrypt a piece of code
ReplyDelete