Subscribe0 0
RedCrossAntivirus carries out the following actions:
- When it is run, it connects to the website http://85.23<blocked>1.174/inst.php?id= and the program starts its installation.
- The following images belong to the installation process:
- The installation begins:
- The license agreement:
- Installation finished:
- Once it is installed, it displays a warning message to remind users that their computer is not protected and that the antivirus program is a trial version:
- If users click on the message, the antivirus program starts loading, as can be seen in the following image:
- Once loaded, it starts scanning the system in search for possible malware:
- The results of the scan shows that infected files have been detected in the computer.
- If users decide to remove them, they will be redirected to the website where the fake antivirus program can be purchased.
Infection strategy
RedCrossAntivirus creates the following files:
- ANTISPY.EXE in the folder Application Data of the Documents and Settings directory of the user that has logged in.
- LSDKASJ.BAT, in the folder Local Settings\Temp of the Documents and Settings directory of the user that has logged in.
RedCrossAntivirus creates the following entries in the Windows Registry:
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell = C:\Documents and Settings\Application Data\%username%\antispy.exe
where %username% is the username of the user that has logged in. - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
tmp
By creating these entries, RedCrossAntivirus ensures that it is run whenever Windows is started.
Means of transmission
RedCrossAntivirus can reach the computer when the user accesses certain websites which display banners or pop-up windows which lead to the download of this program. It can also reach the computer in a link that can be received via spam messages, fraudulent websites, etc.
Hot Articles