Win32/InternetAntivirus

Installation

Win32/InternetAntivirus can have the following brands:

• Personal Antivirus
• General Antivirus
• Internet Antivirus Pro

Win32/InternetAntivirus is usually installed by a downloader with the file name install.exe. When run, this file downloads the following two files to your PC:

• %CommonProgramFiles%\InternetAntivirusPro.exe - Trojan:Win32/InternetAntivirus installer
• %CommonProgramFiles%\file.exe - detected as TrojanSpy:Win32/Chadem.A; this trojan steals sensitive information from PCs

The installer then runs both of these files. It runs InternetAntivirusPro.exe with command line options to enable it to be silently installed.

Win32/InternetAntivirus might create the following files:

• %ProgramFiles%\Internet Antivirus Pro\working.log
• %ProgramFiles%\Internet Antivirus Pro\uninstall.ico
• %ProgramFiles%\Internet Antivirus Pro\unins000.dat
• %ProgramFiles%\Internet Antivirus Pro\Languages\IAIt.lng
• %ProgramFiles%\Internet Antivirus Pro\Languages\IAGer.lng
• %ProgramFiles%\Internet Antivirus Pro\Languages\IAFr.lng
• %ProgramFiles%\Internet Antivirus Pro\Languages\IAEs.lng
• %ProgramFiles%\Internet Antivirus Pro\IAPro.exe
• %ProgramFiles%\Internet Antivirus Pro\Explorer.ico
• %ProgramFiles%\Internet Antivirus Pro\db\ia080614.db
• %ProgramFiles%\Internet Antivirus Pro\db\DBInfo.ver
• %ProgramFiles%\Internet Antivirus Pro\activate.ico
• %CommonProgramFiles%\Internet Antivirus Pro\Purchase License.lnk
• %CommonProgramFiles%\Internet Antivirus Pro\Internet Antivirus Pro.lnk
• %CommonProgramFiles%\Internet Antivirus Pro\Internet Antivirus Pro Home Page.lnk
• <desktop folder>\Internet Antivirus Pro.lnk
• %LOCALAPPDATA%\Microsoft\Windows\services.exe
• %LOCALAPPDATA%\Microsoft\Windows\pguard.ini
• %APPDATA%\Microsoft\Internet Explorer\Quick Launch\Internet Antivirus Pro.lnk
• %APPDATA%\Internet Antivirus Pro\Uninstall Internet Antivirus Pro.lnk
• %APPDATA%\Internet Antivirus Pro\unins000.exe
• %APPDATA%\Internet Antivirus Pro\uill.ini
• %APPDATA%\Internet Antivirus Pro\settings.ini
• %APPDATA%\Internet Antivirus Pro\db\Urls.inf
• %APPDATA%\Internet Antivirus Pro\db\Timeout.inf
• %APPDATA%\Internet Antivirus Pro\db\config.cfg

It creates this registry entry to run the fake scanner each time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Internet Antivirus Pro"
With data: "%ProgramFiles%\Internet Antivirus Pro\IAPro.exe"

Payload

Displays misleading messages and fake scanning results

These are examples of the fake interface, alerts, and scanning results that this threat might display as Internet Antivirus Pro:

Installs additional malware

Win32/InternetAntivirus copies a component to a variable location using a variable file name, for example:

<system folder>\Microsoft\Protect\S-1-5-18\byoroutand.exe

This component might be detected as TrojanDownloader:Win32/FakeIA.A. This component creates another registry entry so it runs every time Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "<file name of malware without extension>" (for example, "byoroutand")
With data: "<full path of malware>" (for example, "<system folder>\Microsoft\Protect\S-1-5-18\byoroutand.exe")

This component injects code into Internet Explorer and periodically displays this page instead of the actual web page you're trying to view:

The click here link directs the browser to a purchase page for Win32/InternetAntivirus:

Displays fake warnings and mimics the Windows Security Center

Win32/InternetAntivirus shows a fake copy of the Windows Security Center, along with an icon in the system tray that shows pop-up warnings. Clicking the recommendations launches an Internet Explorer window to show the purchase web page previously mentioned.

Additional information

Win32/InternetAntivirus might also create an uninstall entry in the registry:

Subkey: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\A11V_is1

Analysis by Hamish O'Dea