Home Malware Programs Rogue Anti-Spyware Programs XP Home Security 2012

XP Home Security 2012

Posted: June 9, 2011

Threat Metric

Threat Level: 10/10
Infected PCs: 61
First Seen: June 9, 2011
OS(es) Affected: Windows

ScreenshotXP Home Security 2012 looks like an anti-virus and general security program, but XP Home Security 2012 actually is a threat that can only warn you about infections that don't exist. Besides creating these fake warnings, XP Home Security 2012 may also prevent you from using certain programs or take over your web browser to control which websites you can visit. XP Home Security 2012 can be removed by using real security software after you've avoided XP Home Security 2012's automatic startup routine by using Safe Mode or similar anti-malware tactics.

XP Home Security 2012 – Not Just a Threat to Windows XP

XP Home Security 2012 pretends to be a unique and individual anti-malware program, but XP Home Security 2012 is really a threat that's identical other rogue security programs like Antivirus 2008 Pro, Antivirus XP 2008, Windows Antivirus 2008, Vista Antivirus 2008, PC Clean Pro, Antivirus Pro 2009, Rogue.Vista Antivirus 2008, AntiSpy Safeguard, ThinkPoint, Spyware Protection 2010, Internet Antivirus 2011, Palladium Pro, XP Anti-Virus 2011, CleanThis, XP Security 2012 and AntiVirus PRO 2015.. Like most rogue security applications from the FakeRean family, XP Home Security 2012 relies on fake pop-ups and misleading system scan simulations, to make you believe that your PC is under attack by many threats.

However, threats that are detected by XP Home Security 2012 aren't real, and are generated from semi-random warning lists with examples like the following:

System warning!
Continue working in unprotected mode is very dangerous. Viruses can damage your confidential data and work on your computer. Click here to protect your computer.

System warning!
Security Essentials Ultimate Pack software detects programs that may compromise your privacy and harm your systems. It is highly recommended you scan your PC right now. Click here to start.

Security Alert!
Your computer is being attacked from a remote machine!
Block Internet access to your computer to prevent system infection.

Critical Warning!
Critical System Warning! Your system is probably infected with a version of Trojan-Spy.HTML.Visafraud.a. This may result in website access passwords being stolen from Internet Explorer, Mozilla Firefox, Outlook etc. Click Yes to scan and remove threats. (recommended)

If you attempt to detect these threats with other anti-malware programs, you'll notice that they will not show up. However, you may still experience malfunctions with programs that XP Home Security 2012 tells you are infected. This is purely due to XP Home Security 2012 blocking you from using the program. In many cases, renaming the program file to a generic file like 'explorer.exe' or 'iexplore.exe' will bypass XP Home Security 2012's program block list.

XP Home Security 2012's Browser-Based Warfare

In addition to blocking programs and faking anti-virus functions, XP Home Security 2012 may also engage in browser hijack attacks. These attacks can:

  • Change your browser settings. Any attempts to revert these changes will fail unless you also remove XP Home Security 2012. The most obvious change that you may see is your homepage being set to an unfamiliar and potentially malicious website.
  • Create advertisements. XP Home Security 2012 advertisements may be limited to audio, or they may encompass pop-ups and other visual displays. Since XP Home Security 2012 can run in the form of a hidden memory process, these advertisements may appear even if you think that your web browser is closed.
  • Create fake 'dangerous website' warnings and other errors that prevent you from visiting certain websites. XP Home Security 2012 and similar rogue security programs will use these fake errors to redirect you away from security-oriented sites while making you think that this is a security measure.
  • XP Home Security 2012 may also use other means to redirect you towards malicious websites that can steal your credit card number and other sensitive information. To prevent these attacks from happening, you can switch to Safe Mode, which will stop XP Home Security 2012's automatic startup.

    Once XP Home Security 2012 isn't active, deleting XP Home Security 2012 by using suitable security programs should prove to be a simple task. Since XP Home Security 2012 is a new threat as of June 2011, it's advised that you update threat definitions for your software before launching a scan for XP Home Security 2012.


    File System Modifications

    • The following files were created in the system:
      # File Name
      1 %AllUsersProfile%\Application Data\u3f7pnvfncsjk2e86abfbj5h
      2 %Documents and Settings%\[UserName]\Local Settings\Application Data\[RANDOM CHARACTERS]
      3 %Documents and Settings%\[UserName]\Local Settings\Application Data\[RANDOM CHARACTERS].exe
      4 %Documents and Settings%\[UserName]\Local Settings\Temp\[RANDOM CHARACTERS]
      5 %Documents and Settings%\[UserName]\Templates\[RANDOM CHARACTERS]
      6 %Documents and Settings%\All Users\Application Data\[RANDOM CHARACTERS]
      7 %LocalAppData%\kdn.exe
      8 %LocalAppData%\u3f7pnvfncsjk2e86abfbj5h
      9 %Temp%\u3f7pnvfncsjk2e86abfbj5h
      10 %UserProfile%\Templates\u3f7pnvfncsjk2e86abfbj5h

    Registry Modifications

    • The following newly produced Registry Values are:
      HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command “(Default)” = ‘”%Documents and Settings%\[UserName]\Local Settings\Application Data\[RANDOM CHARACTERS].exe” -a “%1? %*’HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command “(Default)” = ‘”%Documents and Settings%\[UserName]\Local Settings\Application Data\[RANDOM CHARACTERS].exe” -a “%1? %*’HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command “(Default)” = ‘”%Documents and Settings%\[UserName]\Local Settings\Application Data\[random].exe” -a “%Program Files%\Mozilla Firefox\firefox.exe”‘HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command “(Default)” = ‘”%Documents and Settings%\[UserName]\Local Settings\Application Data\[random].exe” -a “%Program Files%\Mozilla Firefox\firefox.exe” -safe-mode’HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “(Default)” = ‘”%Documents and Settings%\[UserName]\Local Settings\Application Data\[random].exee” -a “%Program Files%\Internet Explorer\iexplore.exe”‘HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center “AntiVirusOverride” = ’1?HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center “FirewallOverride” = ’1?HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation “TLDUpdates” = ’1?HKEY..\..\..\..{RegistryKeys}HKEY_CLASSES_ROOT\.exe\shell\open\command “(Default)” = ‘”%Documents and Settings%\[UserName]\Local Settings\Application Data\[RANDOM CHARACTERS].exe” -a “%1? %*’

    One Comment