Win32/Adware.AntimalwareDoctor [Threat Name] go to Threat

Win32/Adware.AntimalwareDoctor.AH [Threat Variant Name]

Category adware
Size 1970688 B
Detection created Jul 21, 2011
Detection database version 6312
Aliases Trojan.Win32.Menti.hrok (Kaspersky)
  Rogue:Win32/FakeYak (Microsoft)
  DNSChanger.cq.e.trojan (McAfee)
Short description

Win32/Adware.AntimalwareDoctor.AH is a rogue antivirus. The goal of the program is to persuade the user to purchase the product.

Installation

The adware does not create any copies of itself.


The adware creates the following files:

  • %desktop%\­Zentom System Guard.lnk
  • %startmenu%\­Zentom System Guard.lnk
  • %startmenu%\­Programs\­Zentom System Guard\­Zentom System Guard.lnk
  • %startmenu%\­Programs\­Zentom System Guard\­Uninstall.lnk
  • %appdata%\­Microsoft\­Internet Explorer\­Quick Launch\­Zentom System Guard.lnk
  • %startup%\­Zentom System Guard.lnk

These are shortcuts to files of the adware .


The adware creates the following files:

  • %currentfolder%\­enemies-names.txt (28842 B)
  • %currentfolder%\­hookdll.dll (16896 B, Win32/Adware.AntimalwareDoctor.AH)
  • %currentfolder%\­lsrslt.ini
  • %currentfolder%\­local.ini

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­ZentomSystemGuard\­Zentom System Guard]
    • "datarl1" = "KRoAGVdOQwQOHhMhHE0dAQ=="
    • "datarl2" = "KRoAGVdOQxEKHxxwW00dAQ=="
    • "install_time" = "%variable1%"
    • "database_version" = "%variable2%"
    • "virus_signatures" = "%variable3%"
    • "inst" = "ok"
    • "coid" = "%variable4%"
    • "affid" = "7070010200"
    • "url_update_time" = "variable5%"
    • "LastScan" = "variable6%"
    • "datarlA" = ""
    • "nsa" = %variable7%
    • "ns" = %variable8%
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Uninstall\­Zentom System Guard]
    • "DisplayIcon" = "%module_path%,0"
    • "DisplayName" = "Zentom System Guard"
    • "UninstallString" = "%malwarepath% /uninstall"
    • "InstallLocation" = ""%malwarefolder%"
    • "NoModify" = 1
    • "NoRepair" = 1

In order to be executed on every system start, the adware sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%malwarefilename%" = "%malwarepath%"

The adware may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­ZentomSystemGuard\­Zentom System Guard]
    • "RegistrationCode" = "%variable9%"
    • "email" = "%variable10%"
    • "order_id" = "%variable11%"
    • "Settings1" = "%variable12%"
    • "Settings2" = "%variable12%"
    • "Settings3" = "%variable12%"
    • "Settings4" = "%variable12%"
    • "Antivirus" = "%variable12%"
    • "AutoUpdate" = "%variable12%"
    • "Firewall" = "%variable12%"
    • "RAM" = "%variable12%"
    • "ScheduleScan" = "%variable12%"
    • "Spyware" = "%variable12%"
    • "Update1" = "%variable12%"
    • "Update2" = "%variable12%"
    • "Update3" = "%variable12%"
    • "Update4" = "%variable12%"
    • "Update5" = "%variable12%"

A string with variable content is used instead of %variable1-11% .


The %variable12 is one of the following strings:

  • 0
  • 1
Other information

Win32/Adware.AntimalwareDoctor.AH is a rogue antivirus.


The adware displays fake warnings about threats detected on the compromised computer that need to be removed.


Some examples follow.

The goal of the program is to persuade the user to purchase the product.


The adware can download and execute a file from the Internet.


The adware contains a list of (12) URLs. The HTTP protocol is used.

Please enable Javascript to ensure correct displaying of this content and refresh this page.