New Rogue - AntivirusTrigger

by Albin on December 5th, 2008 in Researcher Comments, Security Alerts.

AntivirusTrigger is a new rogue anti-spyware application and a clone of VirusTrigger. It will give exaggerated threat reports on the compromised computer then ask the user to purchase a registered version to remove the reported threats.

AntiVirusTrigger's GUI

AntivirusTrigger will add the following files, folders and registry keys to the system:

Files:

%ProgramFiles\AnvTrgrsoftware\AnvTrgr.exe

%ProgramFiles\AnvTrgrsoftware\uninst.exe

%ProgramFiles\AnvTrgrsoftware\AnvTrgrWarning.dll

%UserProfile\Desktop\AntivirusTrigger 2.1.lnk

%UserProfile\Start Menu\AntivirusTrigger 2.1.lnk

%UserProfile\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusTrigger 2.1.lnk

Folders:

%ProgramFiles\AnvTrgrsoftware

%UserProfile\Start Menu\Programs\AntivirusTrigger 2.1

Registry Keys:

HKEY_CURRENT_USER\Software\AnvTrgrsoft

HKEY_CLASSES_ROOT\AnvTrgrWarning.WarningBHO

HKEY_CLASSES_ROOT\AnvTrgrWarning.WarningBHO.1

HKEY_CLASSES_ROOT\CLSID\22C447D3-73A8-E1C7-C391-21BE4338CEBC

HKEY_CLASSES_ROOT\CLSID\95E9BCC0-2E84-4500-8A9C-0B7A96769124

KHKEY_CLASSES_ROOT\Interface\5C8B2A9C-24A0-4991-A74B-1E4931BD3A57

HKEY_CLASSES_ROOT\Interface\DF3F06C6-D443-48A8-BDF2-4E31F0554EBF

HKEY_CLASSES_ROOT\TypeLib\BAE92F67-539C-41CD-9183-162BB40AAA0C

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\AnvTrgrsoft

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\95E9BCC0-2E84-4500-8A9C-0B7A96769124

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AnvTrgrsoft

Registry Values and Data:

Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Value: AnvTrgr

Data:  C:\Program Files\AnvTrgrsoftware\AnvTrgr.exe

Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

Value: C:\Program Files\AnvTrgrsoftware\AnvTrgr.exe"

Data:  C:\Program Files\AnvTrgrsoftware\AnvTrgr.exe:*:Enabled:AnvTrgr

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

Value: C:\Program Files\AnvTrgrsoftware\AnvTrgr.exe"

Data:  C:\Program Files\AnvTrgrsoftware\AnvTrgr.exe:*:Enabled:AnvTrgr