Win32/Adware.SecurityTool [Threat Name] go to Threat

Win32/Adware.SecurityTool.AD [Threat Variant Name]

Category adware,riskware
Size 971264 B
Aliases Trojan.FakeAV!gen39 (Symantec)
  Rogue:Win32/Winwebsec (Microsoft)
  FakeAlert-SpyPro.gen.p (McAfee)
Short description

Win32/Adware.SecurityTool.AD is a rogue antivirus.

Installation

When executed, the adware copies itself into the following location:

  • %appdata%\­%variable%.exe

In order to be executed on system start, the adware sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "%variable%" = "%appdata%\­%variable%.exe 21 46"

A string with variable content is used instead of %variable% .


The adware creates the following file:

  • %commonprograms%\­Security Tool.lnk

The file is a shortcut to a malicious file.


After the installation is complete, the adware deletes the original executable file.

Other information

The adware displays fake warnings about threats detected on the compromised computer that need to be removed.


The problems/threats are fake.


Some examples follow.

The goal of these programs is to persuade the user to purchase them.

After a certain time delay, the adware blocks access to operating system.


The adware displays a fake error message:

The adware blocks the execution of all applications, except the following:

  • iexplore.exe
  • firefox.exe
  • wscntfy.exe
  • shutdown.exe
  • avcheck.exe
  • wuauclt.exe
  • cleaner.exe
  • conhost.exe

The adware may create the following files:

  • %temp%\­%variable%.bat

A string with variable content is used instead of %variable% .


The adware connects to the following addresses:

  • 195.206.252.185
  • visaforsoft.com
  • casualpayments.com

Please enable Javascript to ensure correct displaying of this content and refresh this page.