Rogues keeps coming, and fake alerts

With our continuous series of exposing prevalent widespread rogue security products, we carried out a deep analysis on Antivirus Studio 2010. Emsisoft Anti-Malware detects the threat as Adware.Win32.AntivirusStudio2010.

The rogue has been very prevalent in recent weeks and having common characteristics of performing a fake scan when it gets executed in the system.

The rogue creates numerous junk files which will be detected as malware when the program scans the computer, and of course, will not allow user to remove them until the program is purchased. A female voice saying “new virus found” is heard anytime a detection is found.

The malware tries to make a GET request to hxxp://httplive.net/ea.php?p=1&aid=93. Once infected, the windows logon screen is presented with the following warning.

Fake alerts have been a close friend and partner of these rogue products, and Antivirus Studio 2010 is no different. Number of warnings and alerts such as below are presented to the user

The rogue also throws pop-ups as below at the victim’s computer.

Injection of code into browsers to show “made-up” messages has been around for some time now, and Antivirus Studio 2010 seems to have integrated every possible trick in itself.

When the link in the browser message is clicked, user is redirected to the sales page of the rogue for further purchase.

Looking into the packed code of the rogue, we found the string which is very familiar to a BSOD message Windows throws. Clearly, indicating that the malware is also capable to use the fake BSOD trick.

When a user tries to execute the applications marked in red, they will be directly terminated by the rogue

And, the following notification will be shown.

The rogue drops a file called “taskmgr.dll” to ““%UserProfile%\Application Data\AntiVirus 2010”. Whenever a user tries to execute the Task Manager, the DLL gets injected to Task Manager modifying the GUI as below.

Antivirus Studio 2010 stops and disables various Windows services like,

  • Application Layer Gateway Service
  • Windows Firewall/Internet Connection Sharing (ICS)
  • Security Center
  • Automatic Updates

We also found something worth mentioning, atypical feature of these rogues. On the main GUI, when the Support button is clicked, the following prompt appears.

And as marked, the “developer” seems to have forgotten to change the product name. Desktop Security 2010 incidentally is another variant of the same.