Windows Virtual Angel Description

[+] Click Image to Enlarge

• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 

Windows Virtual Angel will not bless your computer in any way. In fact, you will quickly wish that Windows Virtual Angel had never entered your computer in the first place. Posing as a legitimate security program, Windows Virtual Angel is actually part of a common online scam. Windows Virtual Angel is part of the FakeVimes family of rogue security programs, a very large group of malware that has been continuously active since 2009. If you are receiving notifications from Windows Virtual Angel, ESG malware analysts strongly advise using a strong anti-malware program to scan your computer and remove Windows Virtual Angel and other malware associated with Windows Virtual Angel. Variants of the Sirefef rootkit, in particular, are often associated with Windows Virtual Angel and other FakeVimes malware infections released in 2012. Clones of Windows Virtual Angel include such fake security programs as Windows Profound Security, Windows Stability Guard and Windows Attacks Defender.

How a Typical Windows Virtual Angel Infection Works

Windows Virtual Angel will usually be installed on your computer through a social engineering approach that either convinces the victim to install Windows Virtual Angel directly or a downloader Trojan disguised as something else (a misleading email attachment, for example). Once installed, Windows Virtual Angel will change your computer’s settings so that Windows Virtual Angel launches automatically whenever Windows starts up. As soon as you log into Windows, Windows Virtual Angel will harass you with a fake malware scan that will invariably indicate that a large number of malware threats are present on your computer. If you try to fix these supposed malware problems with Windows Virtual Angel, all you will get is error messages claiming that you will need to upgrade to an expensive (and useless) ‘full version’ of Windows Virtual Angel. Due to the fact that Windows Virtual Angel has no real anti-malware capabilities, ESG security researchers strongly advise against purchasing this useless, fake security application.

Problems Associated with Windows Virtual Angel

Windows Virtual Angel will use numerous error messages to convince you that you need to ‘upgrade.’ It will also cause your computer to become unstable and behave strangely, reinforcing the lie that you need to upgrade Windows Virtual Angel. This fake security program can block your access to your own files and applications, interfere with legitimate anti-virus programs, cause browser redirects, and cause your operating system to run slowly and crash frequently.

Type: Rogue AntiSpyware Programs

How Can You Detect Windows Virtual Angel?

Windows Virtual Angel Technical Report

As new Windows Virtual Angel details are reported by our customers and findings from our Threat Research Center, we will update this section.

Fake message for Windows Virtual Angel:

The following fake error message(s) appears for Windows Virtual Angel:

Warning
Firewall has blocked a program from accessing
the Internet
Windows XP USER API Clien: DLL
User32.dll
User32.dll is suspended to have infected your PC. This type of virus intercepts entered data and transmits them to a remote server.
Recommended:
Please click “Prevent attack” button to prevent all attacks and protect your PC.

Error
Potential malware detected
It is recommended to activate the protection and perform a
thorough system scan to remove the malware.

Error
Attempt to modify registry key entries detected.
Registry entry analysis is recommended.

‘How Windows Virtual Angel Infects Your Computer’ Video

Windows Virtual Angel Removal Details

Windows Virtual Angel has typically the following processes in memory:

• %AppData%\Protector-[RANDOM CHARACTERS].exe

Windows Virtual Angel creates the following registry entries:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = 0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “UID” = “rudbxijemb”
• HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ERROR_PAGE_BYPASS_ZONE_CHECK_FOR_HTTPS_KB954312
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mostat.exe
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpcc.exe
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “net” = “2012-2-17_2″
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “ID” = 0
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.exe
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tapinstall.exe
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapsetup3001.exe
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegedit” = 0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Inspector”
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp32.exe
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\platin.exe
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashDisp.exe

Important Article Disclaimer