As soon as the user tricked into visiting the compromised website, the browser is minimized and a dialogue box titled “Message from webpage” pops up with a message
“Warning!!! Your personal computer needs to install antivirus software! Antivir can perform fast and free virus and malicious software scan of your compute“.
Clicking on Ok or Cancel button will run the fake scan. At the end of the scan another message box with the following text is displayed.
“This computer is under attack They can seriously harm your private data or files, and should be healed immediately Return to Antivir and download it secure your PC”
Clicking on OK or Cancel button shows a fake Windows security alert window.
Clicking anywhere on the alert box prompts a download dialogue box to download antivir. Trying to cash in on the name of the legitimate Avira Antivir antivirus software, this scareware needs to be installed manually. It even displays a license agreement prior to installation. Once installed by the user it starts and completes the scan and displays false detection of many malware items and offers to remove them all. Once you opt to “remove all” it displays the “Trial version edition” warning with a helpful button to get “Get full protection!“. This button takes you to the fraudulent payment page.
A rogue security software such as Antivir belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.
Now and then it throws up variety of warning messages trying to scare the user into buying a subscription.
This scareware tries to block or just shows a message about how it had blocked a program from executing thus saving the user. These warning messages appear whenever you try to open a program or even during Windows background tasks. The warning messages use the actual name and exact path of the executable. One is able to open the desired program by repeatedly clicking on the executable or its shortcut. In my limited tests it appears to permanently block only cmd.exe from executing.
The scareware downloader in this instance is named Antivir-d2f1c_2013-1.exe, about 163840 Bytes in size. The part -d2flc- is a random string in the name. This file is detected by 3/41 (7.32%) of the virus engines at VirusTotal. The actual executable for this scareware is antivir.exe, about 1658880 Bytes in size. This is not detected by any of the engines at VirusTotal.
Antivir Associated Files and Folders
- C:Program FilesAVantivir.exe
- C:Program FilesCommon FilesUninstallAVUninstall.lnk
- C:Documents and SettingsAll UsersStart MenuAVAntivir.lnk
- C:Documents and SettingsAll UsersStart MenuAVUninstall.lnk
- C:Documents and Settingsmalwarehelp_orgDesktopAntivir.lnk
- C:Program FilesAV
- C:Program FilesCommon FilesUninstall
- C:Documents and SettingsAll UsersStart MenuAV
Some of the file names may be randomly generated.
Antivir Associated Registry Values and Keys
Antivir Associated Domains
This scareware was observed accessing the following domains during installation and operation:
- http://amphipod2 .cn/go.php?id=2013-01&key=a98402e2d&d=1
- http://allprotectiona1 .com/1/?sess=%3DWW19jDxOS0xJmlwPTEyMi4xNjQuMTc2LjExNCZ0aW1lPTEyNTM1MYMMOQkM
- http://barnys-corner .com/?mod=vv&i=1&id=2013-1
- http://barnys-corner .com/order-software.php?id=2013-1
- http://secure.maxsoftwaremarket .com:443
Note: Visiting the domains mentioned above may harm your computer system.
The scareware was also observed making a GET request to http://download.cnet.com/windows/security-software/
Antivir Removal (How to remove Antivir)
The free version of MalwareBytes’s Anti-Malware (mbam-setup.exe Direct download)
appear to remove this rogue security software.
- Use an alternate browser like Firefox or Chrome to download and Install MalwareBytes’s Anti-Malware from the link above.
- Also download CCleaner.
- Boot in to Safe Mode.
- Click to scan with MalwareBytes Anti-Malware. Check mark all instances of the rogue security software and delete them.
- Turn System Restore off and on
- Install, scan and clean the temporary files with CCleaner.
You should now be clean of this rogue.
Antivir Scareware — Screenshots
Antivir Scareware — Video
Note: The above installation and removal was tested on a fully patched Windows XP SP3 running updated versions of Internet Explorer and Firefox. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.