Monday, August 25, 2008

Andromeda AV and AntiVirus PRO 2008 - new Rogue scanners

I helped someone today where Andromeda AV was installed on the computer -
According to the user, it was installed automatically. I'm still waiting for some more info where and/or how it was installed.
Not many hits for this scanner via searchengines yet - so I suspected this as a new Rogue Antivirus, especially after I found the website:
andromeda-av. com, where Antivirus PRO 2008 was hosted as well (antiviruspro2008. net)
All these rogues look the same anyway:

For Andromeda AV..
This one installs as a service called AndromedaAVService (system32\AndromedaAv.exe) and driver AndromedaAvDrv (system32\drivers\winav.sys)

Interesting part here is, it creates some extra files in the system32 folder and dllcache folder (actually renamed MS files) and detects the renamed ones afterwards as infected.
For example, rproxycfg.exe, which is the legitimate file proxycfg.exe, hiissuba.dll, which is the legitimate file issuba.dll, vcliconfg.dll, which is the legit cliconfg.dll etc etc.
It doesn't alter the original files, it only adds renamed copies of them.

Andromeda AntiVirus installed on a clean system (XP Pro):

Threatexpert report here.

Related Posts by Categories