Internet Defender

Internet Defender

Found: 
2011-03-01
Description: 

Win32.FraudTool.InternetDefender is a rogue anti-spyware application. It may give exaggerated threat reports on the compromised computer then ask the user to purchase a registered version to remove those reported threats.

Known system changes: 

Files
c:\Documents and Settings\All Users\Application Data\3f349f15-b32a-4798-afc7-56dc972584d3_.mkv
c:\Documents and Settings\All Users\Application Data\3f349f15-b32a-4798-afc7-56dc972584d3_35.avi
c:\Documents and Settings\All Users\Application Data\3f349f15-b32a-4798-afc7-56dc972584d3_35.ico
c:\Documents and Settings\<USER ACCOUNT>\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Defender.lnk
c:\Program Files\Internet Defender\Internet Defender.dll
c:\Temp\DmQPH2nB.dll
c:\Temp\wrk28.tmp

 

Folders
c:\Program Files\Internet Defender

 

Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "3f349f15-b32a-4798-afc7-56dc972584d3_35"
    Data: "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\All Users\Application Data\3f349f15-b32a-4798-afc7-56dc972584d3_35.avi", DllUnregisterServer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\WINDOWS\system32\rundll32.exe"
    Data: C:\WINDOWS\system32\rundll32.exe:*:Enabled:Internet Defender
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\WINDOWS\system32\rundll32.exe"
    Data: C:\WINDOWS\system32\rundll32.exe:*:Enabled:Internet Defender