Rogue:Win32/FakeXPA Disguises by the Name of "AVG Antivirus 2011, Microsoft

When rogue security software uses multiple different names for itself, it's not especially noteworthy. After several months of calling themselves "Antivirus 8", recent variants of Rogue:Win32/FakeXPA have begun going by the name of "AVG Antivirus 2011."When it's first installed, FakeXPA places a copy of itself named iesafemode.exe into the system directory. It then creates a […]

When rogue security software uses multiple different names for itself, it's not especially noteworthy. After several months of calling themselves "Antivirus 8", recent variants of Rogue:Win32/FakeXPA have begun going by the name of "AVG Antivirus 2011."

When it's first installed, FakeXPA places a copy of itself named iesafemode.exe into the system directory. It then creates a registry entry to set iesafemode.exe as the debugger for a number of common web browsers, including IE, Firefox, Opera, Chrome, and Safari. This registry entry is normally used by software debuggers. Its effect is that when a user attempts to run the program in question, a copy of the debugger will be launched instead, with the name of the program to be run passed to the debugger as a command line parameter. This allows the debugger to launch the program in question and begin debugging it.

In this case, when a user attempts to launch any of these browsers, a copy of the malware will be run instead. Renaming the browser's executable and running this instead allows it to be launched without interference from the malware.

When the user visits a web page using this interface, it may be downloaded and rendered using the IE libraries. But if the user attempts to visit a site that has been blacklisted by FakeXPA, such as a security-related site, it'll display the following instead:

FakeXPA: AVG Antivirus 2011

Notice how it changes the content of the address bar in an attempt to mislead the user into believing that the site had been blacklisted by Microsoft.

[tags]rogue software,debugger,web browser,fakexpa,avg,antivirus,anti-virus[/tags]

[Source]