Win32/Adware.SafetyAntiSpyware [Threat Name] go to Threat

Win32/Adware.SafetyAntiSpyware.A [Threat Variant Name]

Category adware,riskware
Size 859136 B
Aliases Rogue:Win32/FakeRean (Microsoft)
Short description

Win32/Adware.SafetyAntiSpyware.A is a rogue antivirus. The file is run-time compressed using MPress .


The adware does not create any copies of itself.

In order to be executed on every system start, the adware sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Internet Security" = "%malwarefilepath%"

The adware may create the following files:

  • %appdata%\­Microsoft\­Internet Explorer\­Quick Launch\­Internet Security.lnk
  • %desktop%\­Internet Security.lnk
  • %startmenu%\­Internet Security.lnk

These are shortcuts to files of the adware .

The adware terminates its execution if it detects that it's running in a specific virtual environment.

Other information

Win32/Adware.SafetyAntiSpyware.A is a rogue antivirus.

The adware displays fake warnings about threats detected on the compromised computer that need to be removed.

The problems/threats are fake.

The goal of the program is to persuade the user to purchase the product.

Some examples follow.

The adware contains a list of (6) URLs. The HTTP protocol is used.

The adware keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­%variable%\­Regcode]
  • [HKEY_CURRENT_USER\­%variable%\­Dl'hm]
  • [HKEY_CURRENT_USER\­%variable%\­FRun]
  • [HKEY_CURRENT_USER\­%variable%\­O'ld]
  • [HKEY_CURRENT_USER\­%variable%\­Q\­ui]
  • [HKEY_CURRENT_USER\­%variable%\­Update]

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.