Win 7 Security 2012

By Domesticus in Rogue Anti-Spyware Program

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 21
First Seen: August 9, 2011
Last Seen: November 4, 2019
OS(es) Affected: Windows

Win 7 Security 2012 Image

Win 7 Security 2012 is one of the many different versions that exist of Ppn.exe, a malicious file. New versions of programs related to this file are released every day; all of the different versions of Win 7 Security 2012 are the same program, with a different name and theme. Since the rogue programs have different skins according to the user's operating system, Win 7 Security 2012 can be hard to track by security experts. This defining characteristic has caught the attention of computer security specialists around the world.

Don’t Fall for the Win 7 Security 2012 Scam

Win 7 Security 2012 is a scam. This rogue security program is designed to prey on inexperienced users by making them think that their computer is under attack. It is, but from Win 7 Security 2012. Despite Win 7 Security 2012's authentic sounding name, this program is really a malicious security application that causes all sorts of problems on a user's computer. Win 7 Security 2012 then poses as a real security utility, to convince the computer user to purchase Win 7 Security 2012. Users terrified of losing the information on their computers fall for the scam, giving Win 7 Security 2012 their credit card information. Of course, giving Win 7 Security 2012 your credit card information is useless, since this fake security program is not equipped to stop any kind of infection, and Win 7 Security 2012 is itself an invasive rogue anti-spyware program.

The Defining Feature of Win 7 Security 2012 and the Ppn.exe Process

There are dozens of known versions of the Ppn.exe process, and new ones are discovered every single day. However, unlike previous spyware, these cannot properly be called clones. Instead, they are all the same program downloading different skins corresponding to the infected computer. Ppn.exe changes identities depending on the user's operating system. Win 7 Security 2012 will rarely infect, if ever, a computer running Windows Vista or Windows XP. These systems would be infected by a version of Ppn.exe which is appropriate for that specific operating system. For example, XP Security 2012 for Windows XP, or Vista Security 2012 for Windows Vista.

The Ppn.exe Infiltration and Adaptation Process

Ppn.exe first infiltrates a computer through a Trojan, probably downloaded inadvertently from a dodgy website. This Trojan delivers Ppn.exe into the computer that is being attacked, by displaying a notification that is very similar to the ones displayed by Windows Automatic Update. Most users will simply click on it as they would with any other automatic update. This will start the Win 7 Security 2012 installation process. The program will detect the operating system being used and will then download one of three sets of skins appropriate for that operating system. These three sets of skins correspond to the three main Windows operating systems: Windows XP, Windows Vista, and Windows 7. Each of these sets includes a great number of different possible names and designs to mimic a legitimate anti-spyware application. Ppn.exe will also alter the registry so that Win 7 Security 2012 will be started up along with the operating system. The next time the user starts up Windows, he will be greeted by the Win 7 Security 2012 splash screen. The program will perform a fake scan and return numerous false positive results. Then Win 7 Security 2012 will prompt the user to enter his credit card information.ScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshot


15 security vendors flagged this file as malicious.

Anti-Virus Software Detection
Comodo TrojWare.Win32.Trojan.Agent.Gen
Kaspersky HEUR:Trojan.Win32.Generic
NOD32 a variant of Win32/Kryptik.QUY
Kaspersky Trojan.Win32.FakeAV.ecou
AVG Generic23.CFUB
Ikarus Trojan.Cryptic
GData Win32:Renosa-J
Sophos Mal/FakeAV-MQ
DrWeb Trojan.AVKill.2
BitDefender Trojan.Generic.KD.302340
Kaspersky UDS:DangerousObject.Multi.Generic
Avast Win32:Renosa-J [Wrm]
Symantec Trojan.Gen.2
NOD32 a variant of Win32/Kryptik.QVV
Panda Suspicious file

SpyHunter Detects & Remove Win 7 Security 2012

Win 7 Security 2012 Video

Tip: Turn your sound ON and watch the video in Full Screen mode.

File System Details

Win 7 Security 2012 may create the following file(s):
# File Name MD5 Detections
1. afu.exe e86a084051e4fb393b282858357e6a79 2
2. voh.exe 22fab34f18e5a7e564d4c546b0d4fca4 2
3. kpr.exe 16eea9f8977d11cbd3a3d80fafdef3cb 2
4. uio.exe 953e9170934cfeccb7d4509a70274d4d 1
5. etq.exe 784b903aefb5b895c65b20da699db29c 1
6. guv.exe ccfbc220b145119da810362bee192638 1
7. ugs.exe 3241489ed05497104d196812ea610a8d 1
8. oey.exe c61f2496eb9da3c68d5c7129572be209 1
9. auf.exe 8b7f140ecd9593fee3c86b607afdc8bd 1
10. cil.exe c634de87f21ee489080d2845c83a7566 1
11. fvg.exe 65e061905342551e8bc9ead11c0d17ba 1
12. mbw.exe 1fe4e5893ef9b3b03dbc1bcea96923c4 1
13. xwo.exe 63edc3d8270df5d5da81ffc654a8e9be 1
14. nur.exe 12d802c56e02606be89f0f7807833c83 1
15. %LocalAppData%\ppn.exe
16. %AppData%\Local\[RANDOM CHARACTERS].exe
17. %AppData%\Local\[RANDOM CHARACTERS]
18. %LocalAppData%\U3F7PNVFNCSJK2E86ABFBJ5H
21. %AllUsersProfile%\[RANDOM CHARACTERS]
22. %AppData%\Roaming\Microsoft\Windows\Templates\[RANDOM CHARACTERS]

Registry Details

Win 7 Security 2012 may create the following registry entry or registry entries:
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "IsolatedCommand" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command "IsolatedCommand" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "IsolatedCommand" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command "(Default)" = '"%1" %*'
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[RANDOM CHARACTERS].exe" /START "%1" %*'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[RANDOM CHARACTERS].exe" /START "%Program Files%\Mozilla Firefox\firefox.exe"'
HKEY_CURRENT_USER\Software\Classes\.exe "(Default)" = 'exefile'
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command "(Default)" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile "Content Type" = 'application/x-msdownload'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[RANDOM CHARACTERS].exe" /START "%1" %*'
HKEY_CLASSES_ROOT\exefile\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[RANDOM CHARACTERS].exe" /START "%1" %*'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[RANDOM CHARACTERS].exe" /START "%Program Files%\Mozilla Firefox\firefox.exe" -safe-mode'
HKEY_CURRENT_USER\Software\Classes\.exe "Content Type" = 'application/x-msdownload'
HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon "(Default)" = '%1" = '"%UserProfile%\Local Settings\Application Data\[RANDOM CHARACTERS].exe" /START "%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile "(Default)" = 'Application'
HKEY_CURRENT_USER\Software\Classes\exefile\DefaultIcon "(Default)" = '%1"
HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command "IsolatedCommand" – '"%1" %*'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[RANDOM CHARACTERS].exe" /START "%Program Files%\Internet Explorer\iexplore.exe"'
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation "TLDUpdates" = '1'


The following messages associated with Win 7 Security 2012 were found:

Critical Warning!
Critical System Warning! Your system is probably infected with a version of Trojan-Spy.HTML.Visafraud.a. This may result in website access passwords being stolen from Internet Explorer, Mozilla Firefox, Outlook etc. Click Yes to scan and remove threats. (recommended)
Security Alert!
Your computer is being attacked from a remote machine !
Block Internet access to your computer to prevent system infection.
System warning!
Continue working in unprotected mode is very dangerous. Viruses can damage your confidential data and work on your computer. Click here to protect your computer.
System warning!
Security Essentials Ultimate Pack software detects programs that may compromise your privacy and harm your systems. It is highly recommended you scan your PC right now. Click here to start.


Most Viewed