HOME > VIRUS ALERTS


VIRUS ALERTS

Trojan:Win32/InternetAntivirus

Original issue date: July 02, 2009

It has been observed that Trojan:Win32/InternetAntivirus is circulating widely. It is a rogue security program that displays fake warning messages indicating that” spyware or malware has been detected on the machine” in order to convince users to purchase rogue security software. It also impersonates “ Windows Security Center.

Trojan:Win32/InternetAntivirus has been distributed with the following names:

  • Personal Antivirus
  • General Antivirus
  • Internet Antivirus Pro

Aliases:

  • InternetAntivirus (Symantec)
  • General Antivirus (other)
  • Personal Antivirus (other)
  • not-a-virus:FraudTool:Win32.GeneralAntivirus.b (Kaspersky)
  • Mal/FakeAV-AC (Sophos)
  • TrojanDownloader:Win32/Renos.gen!Z (other)
  • Fraudtool.GeneralAntivirus.C (VirusBuster)

Trojan:Win32/InternetAntivirus is usually installed by a downloader that has been distributed with the file name "install.exe"or downloaded from a remote sites.

The activities of Trojan:Win32/InternetAntivirus upon execution:

  • Creates the following files:
    • %COMMONFILES%\InternetAntivirusPro.exe
      –( Trojan:Win32/InternetAntivirus InnoSetup installer.)
    • %COMMONFILES%\file.exe ( detected as TrojanSpy:
      Win32/Chadem.A. This is a trojan that is used to
      steal sensitive information from an affected machine)
    • %PROGRAM_FILES%\Internet Antivirus Pro\working.log
    • %PROGRAM_FILES%\Internet Antivirus Pro\uninstall.ico
    • %PROGRAM_FILES%\Internet Antivirus Pro\unins000.dat
    • %PROGRAM_FILES%\Internet Antivirus Pro\Languages\IAIt.lng
    • %PROGRAM_FILES%\Internet Antivirus Pro\Languages\IAGer.lng
    • %PROGRAM_FILES%\Internet Antivirus
    • Pro\Languages\IAFr.lng
    • %PROGRAM_FILES%\Internet Antivirus Pro\Languages\IAEs.lng
    • %PROGRAM_FILES%\Internet Antivirus Pro\IAPro.exe
    • %PROGRAM_FILES%\Internet Antivirus Pro\Explorer.ico
    • %PROGRAM_FILES%\Internet Antivirus Pro\db\ia080614.db
    • %PROGRAM_FILES%\Internet Antivirus Pro\db\DBInfo.ver
    • %PROGRAM_FILES%\Internet Antivirus Pro\activate.ico
    • %COMMON_PROGRAMS%\Internet Antivirus Pro\Purchase License.lnk
    • %COMMON_PROGRAMS%\Internet Antivirus Pro\Internet Antivirus Pro.lnk
    • %COMMON_PROGRAMS%\Internet Antivirus Pro\Internet Antivirus Pro Home Page.lnk
    • %COMMON_DESKTOP%\Internet Antivirus Pro.lnk
    • %LOCALAPPDATA%\Microsoft\Windows\services.exe
    • %LOCALAPPDATA%\Microsoft\Windows\pguard.ini
    • %APPDATA%\Microsoft\Internet Explorer\Quick
      Launch\Internet Antivirus Pro.lnk
    • %APPDATA%\Internet Antivirus Pro\Uninstall
      Internet Antivirus Pro.lnk
    • %APPDATA%\Internet Antivirus Pro\unins000.exe
    • %APPDATA%\Internet Antivirus Pro\uill.ini
    • %APPDATA%\Internet Antivirus Pro\settings.ini
    • %APPDATA%\Internet Antivirus Pro\db\Urls.inf
    • %APPDATA%\Internet Antivirus Pro\db\Timeout.inf
    • %APPDATA%\Internet Antivirus Pro\db\config.cfg

  • creates the following registry entries so that it executes whenever Windows starts:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Run\"Internet Antivirus" =
      ""C:\program files\Internet Antivirus\
      IAvir.exe" /s"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\RunOnce\"3P_UDEC_IA:" =
      ""[Installer Path]\IAInstall.exe" 0;C;"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Policies\Explorer\Run\"iv:" =
      """C:\Documents and Settings\Administrator\
      Local Settings\Application Data\Microsoft\
      Internet Explorer\iv.exe"""
    • HKEY_ALL_USERS\Software\Microsoft\Internet
      Explorer\"PrS" = "http://ia-payment.com/
      presalepage/index.php?prod_id=9&site_id=
      278&uid=0&mashineid=d6131e201835d159aee
      310b2f36caf41&errors=0&nid=fd2204ecad_0"
    • HKEY_ALL_USERS\Software\Microsoft\Internet
      Explorer\"prob" = "32"
    • HKEY_ALL_USERS\Software\Microsoft\Internet
      Explorer\"ParameterName" = "iv"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Uninstall\Internet Antivirus_is1

  • Displays false or exaggerated system security threats and detections on the machine. See the screen shots given below (Source :Microsoft)

The user is then prompted to activate and pay for a full license of the application in order to remove the threats.

  • Drops a component to the C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\<variable-name.exe> (TrojanDownloader:Win32/FakeIA.A.).This component injects code into Internet Explorer and periodically displays the following page instead of the web page the user was attempting to view:

The "click here" link directs the browser to a purchase page for Win32/InternetAntivirus:

  • Displays a fake copy of the Windows Security Center, along with an icon in the system tray that shows popup warnings. Clicking the "recommendations" launches an Internet Explorer window to display the purchase web page (mentioned and displayed above).

Removal:

  • Temporarily Disable System Restore.
  • Update the virus definitions.
  • Reboot computer in SafeMode.
  • Run a full system scan and clean/delete all infected file(s).
  • Delete/Modify any values added to the registry.

In view of rapid propagation of the Program Trojan:Win32/InternetAntivirus, users are advised to implement the following countermeasures:

  • Exercise caution while opening e-mail attachments and clicking on links to web pages received from unknown sources.
  • Keep up-to-date patches and fixes on the operating system and application software.
  • Keep up-to-date Antivirus and Antispyware signatures
  • Identify and remove rouge-software from system. A List of such rouge anti-virus /anti-spyware products can be found here.

References

http://www.microsoft.com/security/portal/Entry.aspx?name=
Trojan%3aWin32%2fInternetAntivirus
http://www.symantec.com/security_response/writeup.jsp?
docid=2008-081212-1113-99&tabid=3
http://www.sunbeltsecurity.com/ThreatDisplay.aspx?tid=
4127099&cs=2A9ECC22449CA28A04EE95B52F1732AE
http://www.microsoft.com/security/portal/Entry.aspx?
Name=TrojanSpy:Win32/Chadem.A
http://www.microsoft.com/security/portal/Entry.aspx?
Name=Trojan:Win32/FakeIA.A
http://en.wikipedia.org/wiki/Rogue_software

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003