Win32/Adware.XPAntiSpyware [Threat Name] go to Threat

Win32/Adware.XPAntiSpyware.AE [Threat Variant Name]

Category adware,riskware
Size 174080 B
Detection created Aug 17, 2012
Detection database version 7394
Aliases Rogue:Win32/FakeRean (Microsoft)
Short description

Win32/AdWare.XPAntiSpyware.AE is a rogue antivirus. The file is run-time compressed using ASPack, Mystic Compressor .

Installation

When executed, the adware copies itself in some of the the following locations:

  • %localappdata%\­pw.exe
  • %localappdata%\­MSASCui.exe
  • %localappdata%\­mtg.exe
  • %localappdata%\­Microsoft\­Windows Defender\­pw.exe
  • %localappdata%\­Microsoft\­Windows Defender\­MSASCui.exe
  • %localappdata%\­Microsoft\­Windows Defender\­mtg.exe
  • %localappdata%\­mtg\­pw.exe
  • %localappdata%\­mtg\­MSASCui.exe
  • %localappdata%\­mtg\­mtg.exe
  • %templates%\­pw.exe
  • %templates%\­MSASCui.exe
  • %templates%\­mtg.exe
  • %templates%\­Microsoft\­Windows Defender\­pw.exe
  • %templates%\­Microsoft\­Windows Defender\­MSASCui.exe
  • %templates%\­Microsoft\­Windows Defender\­mtg.exe
  • %templates%\­mtg\­pw.exe
  • %templates%\­mtg\­MSASCui.exe
  • %templates%\­mtg\­mtg.exe
  • %temp%\­pw.exe
  • %temp%\­MSASCui.exe
  • %temp%\­mtg.exe

The adware may create the following files:

  • %localappdata%\­opRSK
  • %templates%\­opRSK
  • %temp%\­opRSK
  • %localappdata%\­670nbCuLDd5W4V8N3oi655BI353I
  • %templates%\­670nbCuLDd5W4V8N3oi655BI353I
  • %temp%\­670nbCuLDd5W4V8N3oi655BI353I

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Classes\­.exe]
    • "(Default)" = "pezfile"
    • "Content Type" = "application/x-msdownload"
  • [HKEY_CURRENT_USER\­Software\­Classes\­.exe\­DefaultIcon]
    • "(Default)" = "%1"
  • [HKEY_CURRENT_USER\­Software\­Classes\­.exe\­shell\­open\­command]
    • "(Default)" = ""%malwarefilepath%" /START "%1" %*"
    • "IsolatedCommand" = ""%1" %*"
  • [HKEY_CURRENT_USER\­Software\­Classes\­.exe\­shell\­runas\­command]
    • "(Default)" = ""%1" %*"
    • "IsolatedCommand" = ""%1" %*"
  • [HKEY_CURRENT_USER\­Software\­Classes\­.exe\­shell\­start\­command]
    • "(Default)" = ""%1" %*"
    • "IsolatedCommand" = ""%1" %*"
  • [HKEY_CURRENT_USER\­Software\­Classes\­pezfile]
    • "(Default)" = "Application"
    • "Content Type" = "application/x-msdownload"
  • [HKEY_CURRENT_USER\­Software\­Classes\­pezfile\­DefaultIcon]
    • "(Default)" = "%1"
  • [HKEY_CURRENT_USER\­Software\­Classes\­pezfile\­shell\­open\­command]
    • "(Default)" = ""%malwarefilepath%" /START "%1" %*"
    • "IsolatedCommand" = ""%1" %*"
  • [HKEY_CURRENT_USER\­Software\­Classes\­pezfile\­shell\­runas\­command]
    • "(Default)" = ""%1" %*"
    • "IsolatedCommand" = ""%1" %*"
  • [HKEY_CURRENT_USER\­Software\­Classes\­pezfile\­shell\­start\­command]
    • "(Default)" = ""%1" %*"
    • "IsolatedCommand" = ""%1" %*"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Clients\­StartMenuInternet\­%application%\­shell\­safemode\­command]
    • "(Default)" = ""%malwarefilepath%" /START "%originaldata%""
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Clients\­StartMenuInternet\­%application%\­shell\­open\­command]
    • "(Default)" = ""%malwarefilepath%" /START "%originaldata%""
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows]
    • "Identity" = 421692488

This causes the adware to be executed on every application start.


After the installation is complete, the adware deletes the original executable file.

Other information

Win32/AdWare.XPAntiSpyware.AE is a rogue antivirus.


The adware displays fake warnings about threats detected on the compromised computer that need to be removed. The problems/threats are fake.


The goal of the program is to persuade the user to purchase the product.


Some examples follow.

The adware may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Lavasoft Ad-Aware Service]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­AntiVirService]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­AntiVirSchedulerService]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­AntiVirFirewallService]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­AntiVirMailService]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­AntiVirWebService]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­avgio]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­avgntflt]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­avipbb]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­avfwim]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­avfwot]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run\­avgnt]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­avg9emc]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­avg9wd]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­AvgLdx86]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­AvgLdx64]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­AvgMfx86]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­AvgMfx64]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­AvgTdiX]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Avgfwdx]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Avgfwfd]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­avgfws9]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­AVGIDSAgent]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­AVGIDSDriverxpx]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­AVGIDSErHrxpx]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­AVGIDSFilterxpx]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­AVGIDSShimxpx]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­AvgRkx86]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run\­AVG9_TRAY]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Aavmker4]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­aswMon2]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­aswRdr]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­aswTdi]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­aswUpdSv]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­avast! Antivirus]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­avast! Mail Scanner]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­avast! Web Scanner]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run\­avast!]

The adware terminates various security related applications.


The following programs are affected:

  • AVIRA
  • AVG
  • avast! Antivirus
  • Malwarebytes' Anti-Malware
  • Lavasoft
  • Windows Defender

The adware acquires data and commands from a remote computer or the Internet.


The adware contains a list of (3) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • shut down/restart the computer

Please enable Javascript to ensure correct displaying of this content and refresh this page.