Antivirus2010 – Multiple “Avatars” in a Single .exe
- Wednesday, April 7, 2010, 0:25
- Threat Research
Antivirus XP 2010, a clone of the Antivirus2010 family, is amongst today’s most prevalent rogue security software. Fake security software scammers continue to release new clones in frequent attempts to evade antivirus scanner detections. New clones share the same user interface and look and feel of the original application, but the application name changes.
Analysis of Antivirus2010 reveals that it is using a single binary file for multiple clones. Every time such a binary is executed, a different name is displayed as an application title. For example, when it is executed for the first time it displays itself as XP Antispyware 2010; however, when executed again it may display itself as XP Guardian 2010.
The following is a list of the names that it may use in any particular instance:
• XP Antispyware 2010
• Antivirus XP 2010
• XP Guardian 2010
• XP Guardian
• XP Defender 2010
• XP Antivirus
• XP Antivirus 2010
• XP Antivirus Pro
• XP Antivirus Pro 2010
• XP Internet Security
• XP Internet Security 2010
Here is a screen shot of the binary executed, showing the application name as Antivirus XP 2010:
When same executable is launched multiple times it shows different application names—below are some screen shots.
All of the above clones are widely discussed on various security blogs and security product websites; (continue reading...)