antivirus2010, userinit and then some more

  • August 9, 2010
  • 2 min read

There is a new rogue variant making rounds going by the name Antivirus2010. The malware copies itself to the System32 directory with a name similar to commonly used Windows file present in same directory.

If looked through naked eye, there seems to exist two userinit.exe though one has a unique icon and the other doesn’t. We traversed through the System32 directory in command prompt and the non-english character in the malicious userinit.exe came out quite easily.

The malware registers itself as a service to start automatically with Windows.

On execution, the malware extracts and builds PE file on memory with the name lz32.dll, and makes a remote connection to download another dll component.

Remote address connections established are

Downloaded malicious DLL is dropped under the System32 directory. The DLL is normally an eight lettered randomly named file, for example mswmqnei.dll or mspnxdcm.dll and is encrypted. The DLL is loaded into the memory to display the main UI of the rogue security product. The UI was created using HTML/Javascript, which as we can see, the malware stores the UI in the resource area of the DLL.

Analysing the HTML file, in the INSTALL.HTML we can notice a url which is currently inactive. Incidentally the IP in the url is the same one that the malware uses to download malicious file.

The front end of the IP if visited presents a website with adult content.

Looking the registry modification we found some more informations about the rogue product and we decided to do some more research.

A simple dns information on hxxp:// revealed




Nick Besmark        ([email protected])

P.O. Box 2494




Tel. +7.9263901779

Creation Date: 04-May-2010

Expiration Date: 04-May-2011

Domain servers in listed order:

Not specifically suspicious about an website registered by someone residing in Mahe, Seychelles and which currently gives a 403 Forbidden message. We then looked at and the first thing we noticed about it is that we actually land at which is a domain registrar website.

But we didn’t want to leave yet, and we stumbled upon The malware domains listed there shows more than one instance of malicious activity and maybe coincidence again that all are recently created domains. There maybe a distant connection we can assume, which proves again the inter-relationship between various rogue security products and exploits in the web. It is more than a billion dollar industry out there, but we are always more than a step ahead from them.



Emsisoft founder and managing director. In 1998 when I was 16, a so called 'friend' sent me a file via ICQ that unexpectedly opened my CD-ROM drive, which gave me a big scare. It marked the start of my journey to fight trojans and other malware. My story

What to read next

Reader Comments