Win32/Adware.WinAntiVirus [Threat Name] go to Threat

Win32/Adware.WinAntiVirus.AB [Threat Variant Name]

Category adware
Size 2420224 B
Detection created Jul 24, 2011
Detection database version 6320
Aliases Rogue:Win32/FakeScanti (Microsoft)
  FakeAV.RXW (AVG)
  Win32:Cycbot-JC (Avast)
Short description

Win32/Adware.WinAntiVirus.AB is a rogue antivirus.

Installation

When executed, the adware copies itself into the following location:

  • %appdata%\­OpenCloud Antivirus\­OpenCloud Antivirus.exe

The adware creates the following files:

  • %appdata%\­OpenCloud Antivirus\­OpenCloud Antivirus.ico
  • %appdata%\­OpenCloud Antivirus\­wf.conf
  • %desktop%\­OpenCloud Antivirus.lnk
  • %commonstartmenu%\­OpenCloud Antivirus\­OpenCloud Antivirus.lnk
Other information

Win32/Adware.WinAntiVirus.AB is a rogue antivirus.


The adware displays fake warnings about threats detected on the compromised computer that need to be removed. The problems/threats are fake.


Some examples follow.

The adware contains a list of (4) URLs.


It tries to download a file from the addresses.


The file is stored in the following location:

  • %appdata%\­OpenCloud Antivirus\­sysl32.dll

The file is then executed.


The adware blocks the execution of all applications, except the following:

  • csrss.exe
  • DllHost.exe
  • SearchProtocolHost.exe
  • IEUser.exe
  • un_inst.exe
  • *.tmp
  • iexplore.exe
  • winlogon.exe
  • server.exe
  • spooler.exe

The adware collects the following information:

  • antivirus software detected on the affected machine
  • operating system version

The adware attempts to send gathered information to a remote machine.

Please enable Javascript to ensure correct displaying of this content and refresh this page.