Internet Security 2012 Virus
This new Rogue Antivirus malware has surfaced in 2011 and is more aggressive than predecessors like the older A-Fast Antivirus Scam. It is particularly dangerous because, even in Mozilla Firefox, it can install automatically and infect your computer. As always with Microsoft Internet Explorer, it is the most susceptible to this type of malware.
Those vulnerable tend to be individuals doing internet searches, clicking on links to unknown sites. This can be information searches or image searches. As always, those seeking pornography tend to be the most likely to encounter this malware, however, standard clipart searches on Google Images, or other standard user searches is also encountering this malware.
There are variants. The first incarnations of this Rogue Antivirus were less aggressive in that the user had to click on a pseudo button or link to install the virus. The most recent variants will automatically install, override Windows security center, and cripple the operating system by diverting the .exe (executable) file type association. The common browsers, including Microsoft Internet Explorer, Mozilla Firefox, and Google Chrome all are hijacked. The user cannot run common executable, such as the Windows Registry Editor or System Restore, and the web browsers are unable to navigate to web sites. The level of infiltration depends on the variant and how the user responds.
Internet Security 2012 is only one of the names this rogue uses. It is a name changing rogue. Some of the known variants are listed here:
XP Antispyware 2012, Vista Antispyware 2012, Win 7 Antispyware 2012, XP Antivirus 2012, Vista Antivirus 2012, Win 7 Antivirus 2012
XP Security 2012, Vista Security 2012, Win 7 Security 2012, XP Home Security 2012, Vista Home Security 2012, Win 7 Home Security 2012, XP Internet Security 2012, Vista Internet Security 2012, Win 7 Internet Security 2012
This rogue was fist spotted in 2010 and as of the end of 2011 there are over 60 reported variants.
Pathology
You will find the rogue process executable deposited in the following path:
C:\Documents and Settings\<username>\Local Settings\Application Data\
There is typically a single executable, however, the name is inconsistent but tends to be three characters in the filename before the extension. Examples:
kjm.exe mdm.exe
Registry keys impacted
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*' HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = '1' HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = '1' HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe"' HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode' HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe"' HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation "TLDUpdates" = '1' HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*' HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*' HKEY_CURRENT_USER\Software\XP Internet Security 2012 HKEY_LOCAL_MACHINE\SOFTWARE\XP Internet Security 2012 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XP Internet Security 2012