print version

2012 Name Changing Rogue

5th January 2012 

A Rogue Of Many Disguises

What is the difference between Win 7 Antispyware 2012 and Win 7 Home Security 2012?  How about between Vista Security 2012 and Vista Antivirus 2012?  Not a thing.  Each of these is simply another name for the same rogue antivirus program.  While virtually all rogue programs share the same major characteristics, these programs are indistinguishable from each other. They have the same interfaces, the same warnings, and the same popups.  They use the same tactics, techniques, and tools to convince users to purchase the ultimately useless software.

What is the 2012 Name Changing Rogue?

This name-shifter has a number of aliases:

• Antispyware 2012 
• Antivirus 2012 
• Security 2012 
• Home Security 2012 
• Internet Security 2012 

There are versions for XP, Vista, and Windows 7 (so, for instance, if you are running Windows 7, the full name of the rogue will be Win 7 Antispyware 2012 whereas it would be XP Antispyware 2012 if you had the XP OS.  Again, while the names differ, this is a single rogue program that shares the same goal as all the other rogue antispyware programs in existence: to create the illusion of security threats and then offer the users an ultimately worthless “solution.”

One incarnation of online fraud - The 2012 Name Changing Rogue

Hallmarks of the 2012 Name Changing Rogue

In general, Win 7 Antispyware 2012 et al behave in ways that are characteristic to most rogue antivirus programs.  They need to convince the user that there are security threats and to do this, they begin flooding the system with popup warnings and false security scan results windows.  The goal is to create a sense of urgency.  To this end, popups are typically worded as follows:

System Hijack!

System security threat was detected.  Viruses and/or spyware may be damaging your system now.  Prevent infection and data loss or stealing by running a free security scan.

Stealth intrusion!

Infection detected in the background.  Your computer is now attacked by spyware and rogue software.  Eliminate the infection safely, perform a security scan and deletion now.

XP Antispyware 2012 Alert

Security Hole Detected!

A program is trying to exploit Windows security holes!  Passwords and sensitive data may be stolen.  Do you want to block this attack.

Another staple in rogue strategy is the use of false security scans.  We have all seen legitimate programs scan our computers and alert us to possible risks.  The 2012 Name Changing Rogue is designed to mimic these scans.  You will see a window that looks very much like one that Windows might issue.

It features the distinctive light blue color scheme, as well as a shield symbol with the familiar red, green, blue, and yellow quadrants. At the top left will be the name of the rogue program and “Unregistered Version.” The popup looks enough like a legitimate scan that it is possible to glance at it and agree to “Activate your copy right now and get full-time protection.”  This is exactly what the developers want.

Win Home Security 2012, or the specific name it is running as, is also able to hijack your browser to prevent you from visiting certain websites, particularly those offering security products or rogue antivirus removal help.  When you attempt to navigate to such a site, you will see a fake firewall with a message like the following:

Vista Security 2012 Alert [or another of the aliases]

Internet Explorer alert.  Visiting this site may pose a security threat to your system!

Possible reasons include:

-Dangerous code found in this site’s pages which installed unwanted software into your system.

-Suspicious and potentially unsafe network activity detected.

-Spyware infections in your system.

-Complaints from other users about this site.

-Port and system scans performed by the site being visited.

Things you can do:

-Get a copy of Vista Security 2012 to safeguard your PC while surfing the web (RECOMMENDED)

-Run a spyware, virus and malware scan

-Continue surfing without any security measures (DANGEROUS)

While these messages are false, the Name Changing Rogue can make it difficult to navigate freely and visit the sites you want to.  If left in your system, the rogue spyware program can exploit security vulnerabilities and allow other forms of malware to enter.  It can also cause your computer to become slower and less stable.

Mode of Entry

The Name Changing Rogue gains access in one of two ways:

• Fake online antivirus scanners.  A popup window posing as an antivirus scanner appears and indicates that your computer is infected. It prompts you to download the scanner in order to resolve the threats.  If users do so, it allows the program to become installed in their systems.
• Vulnerable browsing activities.  While adult sites have traditionally been a favorite target for Trojans and malware, they are far from the only vulnerable sites online.  Those with gaming, pirated, P2P, freeware, and trending content are also at risk.  Clicking on a link, opening an image, downloading a video, or clicking on a banner or ad can allow Trojans carrying malware to enter your system.  Once there, it can deposit rogues like Win 7 Antivirus 2012 or one of its incarnations.

Once there, users will notice the signs of a rogue. Some opt to purchase the “protection” of the rogue, but remember that these programs are unable to provide security for your system.

Removing the 2012 Name Changing Rogue

Regardless of how the rogue accessed your machine, it is important to take immediate steps to remove it.  Rogue antispyware applications are designed to evade basic detection and removal efforts, so simply Uninstalling will not work.  Likewise, because they are not classified as viruses and because they alter your security settings, your standard antivirus software is unlikely to be of help.  There are two removal methods users can pursue:

• Automatic removal with Malwarebytes Anti-Malware (Malwarebytes has free malware removal) or PC Tools' Spyware Doctor.  These programs are specially designed to handle rogue applications and will safe, quickly, and effectively remove all traces of the Name Changing Rogue.  This is recommended for everyone, especially those without a great deal of technical experience.  
• Manual removal is more difficult because you can erroneously delete necessary files and impair performance and/or fail to remove the entire rogue, which allows it to re-launch.  If you have experience with your system registry, the following instructions will help you remove the 2012 Name Changing Rogue.  Please feel free to contact us if you need help along the way.

* Note: instructions are given for Win 7 Antispyware 2012.  Specific files may be named differently for other versions.

Stop Processes:

[random].exe (the rogue creates files with 3 letter names, such as xzy.exe)

Remove Registry Entries:

HKEY_CURRENT_USER\Software\Classes\.exe “(Default)” = ‘exefile’

HKEY_CURRENT_USER\Software\Classes\.exe “Content Type” = ‘application/x-msdownload’

HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon “(Default)” = ‘%1? = ‘”%UserProfile%\Local Settings\Application Data\[random].exe” /START “%1? %*’

HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command “IsolatedCommand” = ‘”%1? %*’

HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command “(Default)” = ‘”%1? %*’

HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command “IsolatedCommand” = ‘”%1? %*’

HKEY_CURRENT_USER\Software\Classes\exefile “(Default)” = ‘Application’

HKEY_CURRENT_USER\Software\Classes\exefile “Content Type” = ‘application/x-msdownload’

HKEY_CURRENT_USER\Software\Classes\exefile\DefaultIcon “(Default)” = ‘%1?

HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random].exe” /START “%1? %*’

HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command “IsolatedCommand” = ‘”%1? %*’

HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command “(Default)” = ‘”%1? %*’

HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command “IsolatedCommand” – ‘”%1? %*’

HKEY_CLASSES_ROOT\.exe\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random].exe” /START “%1? %*’

HKEY_CLASSES_ROOT\exefile\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random].exe” /START “%1? %*’

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random].exe” /START “%Program Files%\Mozilla Firefox\firefox.exe”‘

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random].exe” /START “%Program Files%\Mozilla Firefox\firefox.exe” -safe-mode’

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random].exe” /START “%Program Files%\Internet Explorer\iexplore.exe”‘

Delete Files:

Windows 7 and Vista

%AllUsersProfile%\[random]

%AppData%\Local\[random].exe

%AppData%\Local\[random]

%AppData%\Roaming\Microsoft\Windows\Templates\[random]

%Temp%\[random]

Windows XP

%AllUsersProfile%\Application Data\[random]

%LocalAppData%\[random].exe

%LocalAppData%\[random]

%UserProfile%\Templates\[random]

%Temp%\[random]

 to top