Threat Database Rogue Anti-Spyware Program XP Internet Security Pro 2013

XP Internet Security Pro 2013

Security researchers have received reports of several new variants in the FakeRean family of rogue security software. XP Internet Security Pro 2013 is one of these fake security programs. XP Internet Security Pro 2013 targets computers with the Windows XP operating system. FakeRean's rogue security programs tend to target specific operating systems. XP Internet Security Pro 2013 carries out a common online scam that ESG security researchers have observed hundreds of times before: XP Internet Security Pro 2013 infects a computer and then tries to convince the victim to purchase a fake and expensive upgrade for this fake security program. To convince victims that they need this supposed 'upgrade', XP Internet Security Pro 2013 uses the following tactics:

  1. XP Internet Security Pro 2013 will spam the victim with constant fake system alerts and error messages claiming that the victim's computer has been infected with dangerous Trojans and viruses.
  2. XP Internet Security Pro 2013 makes changes to the Windows Registry that allows XP Internet Security Pro 2013 to start up automatically when the victim logs into Windows. When XP Internet Security Pro 2013 starts up, XP Internet Security Pro 2013 will run a fake system scan that will invariably display dire results.
  3. A computer infected with XP Internet Security Pro 2013 will present several other problems. These include blocked access to files on the infected computer, issues with legitimate security programs, system instability, poor system performance and redirects to unwanted websites when browsing the web.

General Characteristics of XP Internet Security Pro 2013 and Its Many Clones

XP Internet Security Pro 2013 belongs to a batch of rogue security programs that are not difficult to recognize because of their typical naming patterns. These fake security applications will typically use a term that corresponds to the infected computer's operating system ('XP' in this case). Other variants have names like Windows Antivirus 2008, Vista Antivirus 2008, Antivirus Pro 2009, AntiSpy Safeguard, ThinkPoint, Spyware Protection 2010, Internet Antivirus 2011, Palladium Pro, XP Anti-Virus 2011, CleanThis, PC Clean Pro, XP Home Security 2012, Windows Clear Problems, XP Security 2012, Antivirus PRO 2015.

New variants in this family have been released since 2009, meaning that there are clones of XP Internet Security Pro 2013 that end with 2012, 2011, and 2010. Common generic anti-virus names used by these fake security programs include 'Internet protection', 'antivirus' or 'antivirus plus'. It is important to know that, despite the large number of fake security programs in this family and variants of XP Internet Security Pro 2013, there is virtually no difference between one of these fake security applications and another.

File System Details

XP Internet Security Pro 2013 creates the following file(s):
# File Name Detections
1. %CommonApplData%\[RANDOM CHARACTERS_2] N/A
2. %LocalAppData%\[RANDOM CHARACTERS_2] N/A
4. %UserProfile%\Templates\[RANDOM CHARACTERS_2] N/A

Registry Details

XP Internet Security Pro 2013 creates the following registry entry or registry entries:
HKEY_CURRENT_USER\Software\Classes\[RANDOM CHARACTERS_0]\shell\runas
HKEY_CURRENT_USER\Software\Classes\[RANDOM CHARACTERS_0]\shell\open
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command\IsolatedCommand "%1" %*
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command\ "[RANDOM CHARACTERS_1].exe" -a "%1" %*
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command\IsolatedCommand "%1""%*
HKEY_CURRENT_USER\Software\Classes\[RANDOM CHARACTERS_0]\shell\runas\command\IsolatedCommand "%1" %*
HKEY_CURRENT_USER\Software\Classes\[RANDOM CHARACTERS_0]\shell\open\command
HKEY_CURRENT_USER\Software\Classes\[RANDOM CHARACTERS_0]\DefaultIcon\ %1
HKEY_CURRENT_USER\Software\Classes\.exe\Content Type application/x-msdownload
HKEY_CURRENT_USER\Software\Classes\[RANDOM CHARACTERS_0]\shell\runas\command
HKEY_CURRENT_USER\Software\Classes\[RANDOM CHARACTERS_0]\shell\runas\command\ "%1" %*
HKEY_CURRENT_USER\Software\Classes\[RANDOM CHARACTERS_0]\shell\open\command\IsolatedCommand "%1" %*
HKEY_CURRENT_USER\Software\Classes\[RANDOM CHARACTERS_0]\Content Type application/x-msdownload
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command\ "%1" %*
HKEY_CURRENT_USER\Software\Classes\[RANDOM CHARACTERS_0]\ Application
HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon\ %1
HKEY_CURRENT_USER\Software\Classes\[RANDOM CHARACTERS_0]\shell\open\command\ "[RANDOM CHARACTERS_1].exe" -a "%1" %*


Most Viewed