Win32/Adware.SafetyAntiSpyware [Threat Name] go to Threat

Win32/Adware.SafetyAntiSpyware.A [Threat Variant Name]

Category adware,riskware
Size 859136 B
Detection created Dec 11, 2009
Detection database version 4679
Aliases Rogue:Win32/FakeRean (Microsoft)
Short description

Win32/Adware.SafetyAntiSpyware.A is a rogue antivirus. The file is run-time compressed using MPress .

Installation

The adware does not create any copies of itself.


In order to be executed on every system start, the adware sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Internet Security" = "%malwarefilepath%"

The adware may create the following files:

  • %appdata%\­Microsoft\­Internet Explorer\­Quick Launch\­Internet Security.lnk
  • %desktop%\­Internet Security.lnk
  • %startmenu%\­Internet Security.lnk

These are shortcuts to files of the adware .


The adware terminates its execution if it detects that it's running in a specific virtual environment.

Other information

Win32/Adware.SafetyAntiSpyware.A is a rogue antivirus.


The adware displays fake warnings about threats detected on the compromised computer that need to be removed.


The problems/threats are fake.


The goal of the program is to persuade the user to purchase the product.


Some examples follow.

The adware contains a list of (6) URLs. The HTTP protocol is used.


The adware keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­%variable%\­Regcode]
  • [HKEY_CURRENT_USER\­%variable%\­Dl'hm]
  • [HKEY_CURRENT_USER\­%variable%\­FRun]
  • [HKEY_CURRENT_USER\­%variable%\­O'ld]
  • [HKEY_CURRENT_USER\­%variable%\­Q\­ui]
  • [HKEY_CURRENT_USER\­%variable%\­Update]

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.