Rogue:Win32/InternetAntivirus Fake webster program actually very online to be downloaded and running under perfomance of windows.

Posted by cartoon-blogger-rafaell, 4 months ago

Win32/InternetAntivirus is a rogue program that displays false and misleading alerts regarding malware to convince you to buy rogue security software. This threat also displays a fake Windows Security Center message.

Raf found his keys by a debug unpacker upx and PE Explorer

Win32/InternetAntivirus can have the following brands:

  • Personal Antivirus
  • General Antivirus
  • Internet Antivirus Pro
  • Live Enterprise Suite
  • Live Security Suite
  • Ghost Antivirus

 Win32/InternetAntivirus is usually installed by a downloader with the file name install.exe. When run, this file downloads the following two files to your PC:

    %CommonProgramFiles% \InternetAntivirusPro.exe - Trojan:Win32/InternetAntivirus installer
    %CommonProgramFiles% \file.exe - detected as TrojanSpy:Win32/Chadem.A; this trojan steals sensitive information from PCs

He downloads a encrypted setup file which cannot be extracted and installed easy.

The installer then runs both of these files. It runs InternetAntivirusPro.exe with command line options to enable it to be silently installed.

The installer then runs both of these files. It runs InternetAntivirusPro.exe with command line options to enable it to be silently installed.

Win32/InternetAntivirus might create the following files:

    %ProgramFiles% \Internet Antivirus Pro\working.log
    %ProgramFiles% \Internet Antivirus Pro\uninstall.ico
    %ProgramFiles% \Internet Antivirus Pro\unins000.dat
    %ProgramFiles% \Internet Antivirus Pro\Languages\IAIt.lng
    %ProgramFiles% \Internet Antivirus Pro\Languages\IAGer.lng
    %ProgramFiles% \Internet Antivirus Pro\Languages\IAFr.lng
    %ProgramFiles% \Internet Antivirus Pro\Languages\IAEs.lng
    %ProgramFiles% \Internet Antivirus Pro\IAPro.exe
    %ProgramFiles% \Internet Antivirus Pro\Explorer.ico
    %ProgramFiles% \Internet Antivirus Pro\db\ia080614.db
    %ProgramFiles% \Internet Antivirus Pro\db\DBInfo.ver
    %ProgramFiles% \Internet Antivirus Pro\activate.ico
    %CommonProgramFiles% \Internet Antivirus Pro\Purchase License.lnk
    %CommonProgramFiles% \Internet Antivirus Pro\Internet Antivirus Pro.lnk
    %CommonProgramFiles% \Internet Antivirus Pro\Internet Antivirus Pro Home Page.lnk
    <desktop folder>\Internet Antivirus Pro.lnk
    %LOCALAPPDATA% \Microsoft\Windows\services.exe
    %LOCALAPPDATA% \Microsoft\Windows\pguard.ini
    %APPDATA% \Microsoft\Internet Explorer\Quick Launch\Internet Antivirus Pro.lnk
    %APPDATA% \Internet Antivirus Pro\Uninstall Internet Antivirus Pro.lnk
    %APPDATA% \Internet Antivirus Pro\unins000.exe
    %APPDATA% \Internet Antivirus Pro\uill.ini
    %APPDATA% \Internet Antivirus Pro\settings.ini
    %APPDATA% \Internet Antivirus Pro\db\Urls.inf
    %APPDATA% \Internet Antivirus Pro\db\Timeout.inf
    %APPDATA% \Internet Antivirus Pro\db\config.cfg

It creates this registry entry to run the fake scanner each time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Internet Antivirus Pro"
With data: "%ProgramFiles%\Internet Antivirus Pro\IAPro.exe"

It Show Fake Blue screen fake pop ups alert exaggered scan hijack google and block website and rediect to payment page.

Win32/InternetAntivirus shows a fake copy of the Windows Security Center, along with an icon in the system tray that shows pop-up warnings. Clicking the recommendations launches an Internet Explorer window to show the purchase web page previously mentioned.  The fake security center depends on your XP VISTA OS

Win32/InternetAntivirus might also create an uninstall entry in the registry: