XP Internet Security 2012

XP Internet Security 2012 Description

Type: Trojan

ScreenshotXP Internet Security 2012 is one of the many different versions of the malicious file Ppn.exe. XP Internet Security 2012 is a kind of harmful application that infects a user's computer and then spams the user with alert messages and fake system scans. This faker security program will become an annoyance by constantly claiming that the computer is infected with numerous Trojans and other kinds of software infections. XP Internet Security 2012 and fake security programs from the same family will demand the user's credit card information, taking the computer and web browser hostage until the user complies.

How Did XP Internet Security 2012 Get Started?

XP Internet Security 2012 has it's origins in the Russian Federation, a country notorious for harboring many of the world's worst cyber-criminals. XP Internet Security 2012 works very similarly to previous similar harmful software, but has a unique trait that called the attention of security experts everywhere: XP Internet Security 2012 changes its name according to the user's operating system.

How Does XP Internet Security 2012 Adapt to Different Operating Systems?

Ppn.exe is delivered by a Trojan, downloaded unwittingly by the user. The first sign of an infection is a fake notification from Windows Automatic Update. This notification looks almost exactly like the real thing, although close examination is enough to differentiate between the two. However, most users will simply mistake it for a normal Windows Automatic Update and pay no attention. It is at that moment that the Trojan will download one of hundreds of possible names and skins for the program, depending on the user's operating system. There are three main types of these, depending on the operating system. These can be for Windows XP, Windows Vista, and Windows 7. XP Internet Security 2012 is one of the programs from the Windows XP set. The version for Windows Vista would be named something similar to Vista Internet Security 2012 and the version for Windows 7 could be named something like Win 7 Internet Security 2012. These are all the same program, but have different layouts, interfaces, and themes for each user. There are rare cases in which the Trojan will make a mistake and download the wrong skin, resulting in a skin meant for Windows XP on a computer running another operating system.

What to Do in Case of an XP Internet Security 2012 Infection

If your computer is infected with XP Internet Security 2012, you will receive numerous alerts and fake system scans claiming that you have some kind of viral or malware infection. You will also be aggressively prompted to enter your credit card information to buy a supposed license for this program. You should not enter your credit card information, and if you already have, you should contact your bank to block the charges. Don't pay attention to the fake system scans, and under no circumstances should you try to remove the supposedly infected files; this may irreparably damage your system. Use a real anti-spyware or anti-virus application from a reliable source to get rid of your XP Internet Security 2012 infection.ScreenshotScreenshotScreenshotScreenshot

Technical Information

File System Details

XP Internet Security 2012 creates the following file(s):
# File Name Detection Count
1 %UserProfile%Local SettingsApplication DataMSASCui.exe N/A
2 %UserProfile%AppDataLocalpw.exe N/A
3 %UserProfile%Local SettingsApplication Datavz.exe N/A
4 %UserProfile%AppDataLocalMSASCui.exe N/A
5 [RANDOM CHARACTERS].exe N/A
6 %UserProfile%Local SettingsApplication Datapw.exe N/A
7 %UserProfile%AppDataLocalvz.exe N/A
8 %UserProfile%AppDataLocalopRSK N/A
9 %UserProfile%Local SettingsApplication DataopRSK N/A
10 %AllUsersProfile%\Application Data\u3f7pnvfncsjk2e86abfbj5h %LocalAppData%\kdn.exe %LocalAppData%\u3f7pnvfncsjk2e86abfbj5h %Temp%\u3f7pnvfncsjk2e86abfbj5h %UserProfile%\Templates\u3f7pnvfncsjk2e86abfbj5h N/A

Registry Details

XP Internet Security 2012 creates the following registry entry or registry entries:
Registry key
HKEY_CURRENT_USER\Software\XP Internet Security 2012
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation "TLDUpdates" = '1'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe"'
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'
HKEY_LOCAL_MACHINE\SOFTWARE\XP Internet Security 2012
HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = '1'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XP Internet Security 2012
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe"'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = '1'

More Details on XP Internet Security 2012

The following messages associated with XP Internet Security 2012 were found:
Privacy threat!
Spyware intrusion detected. Your system is infected. System integrity is at risk. Private data can be stolen by third parties, including credit card details and passwords. Click here to perform a security repair.
Stealth intrusion!
Infection detected in the background. Your computer is now attacked by spyware and rogue software. Eliminate the infection safely, perform a security scan and deletion now.
XP Internet Security 2012 Alert
Security Hole Detected!
A program is trying to exploit Windows security holes! Passwords and sensitive data may be stolen. Do you want to block this attack?

Related Posts

Site Disclaimer

Enigmasoftware.com is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.