Method of Infection
Upon execution, the trojan displays its user interface, "Advanced Virus Remover", and then pretends to scan the user's machine and detect malware on the infected system.
During execution, Win32/AdvancedVirusRemover.G, also creates shortcut files that link to the trojan executable:
%Documents and Settings%\<Current User>\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk
%Documents and Settings%\<Current User>\Desktop\Advanced Virus Remover.lnk
%Documents and Settings%\<Current User>\Start Menu\Advanced Virus Remover.lnk
The trojan creates the following folder and file, which is a copy of itself:
%Program Files%\AdvancedVirusRemover\PAVRM.exe
The trojan creates the following registry entry to ensure that it runs on every system start up:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Advanced Virus Remover "%Program Files%\AdvancedVirusRemover\PAVRM.exe"
It creates the following registry entries as part of its installation routine:
HKCU\Software\AVR
LastVFC = "9"
VirList = "5|11|20|12|14|22|12|3|18|17"
LastD = "16"
LastScan = "16.10.2009 13:46"
Note: %Documents and Settings% and %Program Files% are variable locations. The malware determines the locations of these folders by querying the operating system. A typical location for Documents and Settings is C:\Documents and Settings. A typical location for Program Files is C:\Program Files.
Back to top
Payload
Displays False Warnings
Win32/AdvancedVirusRemover.G displays fake warnings and a message box informing the user that the system is infected.
It also displays either of the following system tray popup messages.
The trojan displays a notice advising the user of a new database update:
However, by clicking the "Update Now" button, the user is prompted to either enter an activation code or get a license:
Analysis by Mary Grace Gabriel
Back to top