By Andrew Brandt and Brenden Vaughan
Our Advanced Malware Removal group reported seeing several cases of a rogue called Antivirus Center this past week. The rogue isn’t new – we began seeing samples of it last year – but has re-emerged as a threat.
This rogue is characterized by a close mimicry of some aspects of Microsoft’s free Windows Defender product, including the use of a program icon that looks like a castle, as well as some distinctive characteristics of its active file components. For example, the rogue’s application consistently uses a naming convention that looks like a long string of random alphanumeric characters, with a .dat extension, located in the Application Data folder of the “All Users” profile. As we’ve written before, no programs should run from the Application Data folder, so anything in that location is automatically suspect.
That said, it’s still going through the same stupid rogue AV motions, with all the exaggerated detections and predictably hilarious bad grammar we’ve come to expect. Read on for more details.
The file’s name, while random, is readily identifiable because it always groups the random characters in the filename the same way. As you can see, the name of both the malware executable and its icon file use a group of eight characters, then three groups of four, then a group of 12 characters, each group separated by hyphens. This 8-4-4-4-12.dat pattern makes it very easy to spot, especially because it’s always in the “All Users” version of the Application Data folder.
Even the “purchase” process emulates the activation procedure used by Microsoft for Windows and other products. Though in the end, you’re still just led to a Web page where you’re asked to pay a whopping $80 for this sham (a $50 discount off previous frauds).
Antivirus Center also creates copies of itself in the current user’s Local Settings\Temp folder, named mv2.tmp and wrk3.tmp, as well as a copy of its icon named ins1.tmp. (The main rogue file in the screenshot below was renamed for the sake of clarity.)
If you click the Help menu within Antivirus Center, a compressed help file named hlp4.tmp.chm appears in the same Temp folder location. The “license” part of the help file tells you to head to Microsoft’s Web site and search for “Antivirus Center license terms” for more details. Needless to say, that would be a pointless exercise.
The rogue adds a run key for itself under the HKEY_CURRENT_USER hive. The rogue’s executable is actually a DLL, even though it uses a .dat extension, so the run key actually launches the legitimate Windows app rundll32.exe and passes the rogue’s filename as a parameter to rundll32.exe in order to launch the rogue.
If you find yourself infected with this rogue, start the computer in Safe Mode with Networking (the rogue won’t execute), and you should be able to perform a full sweep to remove it.
The only other registry entry it creates is a firewall exception for rundll32.exe, which allows the rogue to connect to its “buy the license key” Web site.
Here are some examples of the program’s active windows.
And these are some of the warning messages you’re likely to see. Keep offa my treats, rogue!