Home Malware Programs Rogue Anti-Spyware Programs BitDefender 2011

BitDefender 2011

Posted: April 20, 2011

Although BitDefender 2011 is the name of a legitimate security application, the title of BitDefender 2011 is also taken by a rogue security product that hopes to use the good name of BitDefender to its own advantage. The rogue threat known as BitDefender 2011 is notably different in appearance from the true BitDefender 2011 and can be easily discerned as a threat based on resulting system problems. Attacks by BitDefender 2011 can consist of browser hijacks that redirect you to malicious websites, blocked downloads or program usage, fake error popups and highly inaccurate system scans. You should remove this fake BitDefender 2011 from your PC as soon as can be managed by using your choice of actual anti-malware software.

Don't Mistake a Fake BitDefender 2011 for the Real Product

Although the rogue program calling itself BitDefender 2011 uses the same name as a legitimate product, it has nothing in common with this legitimate name brand. In fact, BitDefender 2011 is a clone of other known rogue threats in the Antivir family, such as Antivir Solution Pro, Antivir Solution Plus, AVG Antivirus 2011 and E-Set Antivirus 2011.

Each of these rogue programs, including BitDefender 2011, is designed to create fake system alerts and other bad information to indicate the heavy presence of infections and other system problems. BitDefender 2011 then uses this as a stepping stone to trick you into purchasing a registration key, but even the registered version of the rogue calling itself BitDefender 2011 will only bring harm to your PC.

Here are some of the fake errors you may see when using a BitDefender 2011-infected computer:

Warning! Identity theft attempt detected!
Attacker IP: [random IP address]
Attack Target: Microsoft Corp. Keys
Description: Remote host tries to get access to your personal information.

Windows Security Alert
Windows reports that computer is infected. Antivirus software helps to protect your computer against viruses and other security threats. Click here for the scan your computer. Your system might be at risk now.

Warning!
Virtumonde is an adware program that tends to monitor your Internet browsing habits and may display targeted advertisements onto your computer screen. Virtumonde may also create a malicious DLL file in order to log your keystrokes and send the recorded information to a third party website. Virtumonde is an unwanted application and recommended to be removed.

Antivirus software alert
Infiltration alert
Your computer is being attacked by an Internet virus. It could be password-stealing attack, a trojan-dropper or similar.

Warning! New virus detected!
Threat Detected: Keylogger.iSnake.Pro
Infected File: C:\WINDOWS\system32\asr_ldm.exe

Since BitDefender 2011 can't detect infections, attempting to follow its advice and take action against supposedly infected files can result in damage to your computer. You should also be alert for BitDefender 2011's attempts to make you purchase a registration key – doing this endangers your credit card and has you spending your money on a fake product with no useful features.

Defending Yourself from BitDefender 2011

You can distinguish a rogue threat version of BitDefender 2011 from the real BitDefender 2011 by a cursory inspection of the interface. The fake BitDefender 2011 will prominently display its 'trial version' status along several major faked security functions as well as in a yellow bar below the main interface. Other visual differences include the main screen's primarily white interface (as opposed to the predominantly blue looks of the real BitDefender 2011) and the different features in the menu - the rogue program called BitDefender 2011 will offer Anti-Virus, Anti-Spyware, Resident Shield, Setting, Support, and License icons while the real program will show completely different options.

BitDefender 2011 has also developed a reputation for the same attacks that its rogue threat ancestors have used:

  • BitDefender 2011 can shut down applications, often with the following message:

    Warning! Active Virus Detected!
    Threat Detected: Backdoor.Poison.BQA
    Infected file: [application file being blocked]
    Action taken: Application Blocked
    Description: This backdoor arrives as attachment to email messages spammed by another malware or malicious user. This is a backdoor component of the Darkmoon RAT (Remote Administration Tool), via this backdoor hackers attempt to control your PC.

  • BitDefender 2011 will run without requesting your permission whenever you start your computer.
  • BitDefender 2011 may create audio advertisements or popups; common advertisements known to be used by the BitDefender 2011 family of rogue programs often try to convince the user that they have won a contest or some other free prize through a 'Congratulations, you have won...' message.
  • BitDefender 2011 may hijack your web browser, preventing you from accessing non-malicious websites by displaying the below warning:

    About Internet Explorer Emergency Mode
    Your PC is infected with malicious software and browse couldn't be launched

    You may use Internet Explorer in Emergency mode - internal service browser of Microsoft Windows system with limited usability.

    Notice: Some sites refuse connection with Internet Explorer in Emergency Mode. In such case system warning page will be showed to you.

These attacks will persist as long as you avoid deleting BitDefender 2011 from your PC. Even if you avoid significant interaction with BitDefender 2011 itself, the risk of other malware attacks caused by exposure to potentially dangerous popups and risky websites creates a highly unsafe environment for computer use.

Thankfully, BitDefender 2011 can be removed the same way you would remove any other rogue program in its malicious family by using a controlled environment, such as Safe Mode, along with a complete system scan from reputable anti-malware programs.

File System Modifications

  • The following files were created in the system:
    # File Name
    1 %AllUsersProfile%\Start Menu\BitDefender 2011\Uninstall.lnk
    2 %Temp%\srvED4.ini
    3 %Temp%\srvED4.tmp
    4 %UserProfile%\Desktop\BitDefender 2011.lnk
    5 C:\Documents and Settings\[USERNAME]\Desktop\BitDefender 2011.lnk
    6 c:\Documents and Settings\All Users\Start Menu\BitDefender 2011\
    7 c:\Documents and Settings\All Users\Start Menu\BitDefender 2011\BitDefender 2011.lnk
    8 C:\Documents and Settings\All Users\Start Menu\BitDefender 2011\Uninstall.lnk
    9 c:\Program Files\BitDefender 2011\
    10 c:\Program Files\BitDefender 2011\bitdefender.exe
    11 C:\WINDOWS\Prefetch\BITDEFENDER.EXE-0571D06A.pf
    12 C:\WINDOWS\Prefetch\BITDEFENDER.EXE-06B296CB.pf
    13 C:\WINDOWS\Prefetch\MSCONFIG.EXE-1EF1EA0F.pf
    14 C:\WINDOWS\system32\iesafemode.exe

Registry Modifications

  • The following newly produced Registry Values are:
    HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\EVA86D\HKEY_CURRENT_USER\Software\EVAEC2HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable=0HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "BitDefender 2011" = 'C:\Program Files\BitDefender 2011\bitdefender.exe'HKEY_CURRENT_USER\Software\Mon86DHKEY_CURRENT_USER\Software\Mon86D\ebggbc={EA520B3F-F2F1-41E0-AD9F-C818F032C581}HKEY_CURRENT_USER\Software\Mon86D\ebggddkhod=AGTHKEY_CURRENT_USER\Software\Mon86D\ebggddnf=0HKEY_CURRENT_USER\Software\Mon86D\ebggeddf=EVAHKEY_CURRENT_USER\Software\Mon86D\ebggfdlh=BitDefender 2011HKEY_CURRENT_USER\Software\Mon86D\ebgglceeac=C:\Program Files\BitDefender 2011\bitdefender.exeHKEY_CURRENT_USER\Software\Mon86D\ebgglcofkc=ABCEVAHKEY_CURRENT_USER\Software\MonEC2HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe "Debugger" = 'msiexecs.exe -sb'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger=iesafemode.exe -sbHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe "Debugger" = 'msiexecs.exe -sb'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger=iesafemode.exe -sbHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe "Debugger" = 'msiexecs.exe -sb'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger=iesafemode.exe -sbHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe "Debugger" = 'msiexecs.exe -sb'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\Debugger=iesafemode.exe -sbHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safari.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safari.exe "Debugger" = 'msiexecs.exe -sb'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safari.exe\Debugger=iesafemode.exe -sbHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "WinNT-EVI 21.04.2011"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable=0HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable=0HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable=0HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable=0HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" = '0'HKEY..\..\..\..{RegistryKeys}HKEY_CURRENT_USER\Control Panel\Desktop\ForegroundLockTimeout=0

Additional Information on BitDefender 2011

  • The following domains were detected:
    # Domain
    1 windows-networks.com
    2 secure.supersoftstore.com
    3 secure.ordersunsprotection.com
  • The following messages's were detected:
    # Message
    1 Warning! Identity theft attempt detected!
    Attacker IP: [random IP address]
    Attack Target: Microsoft Corp. Keys
    Description: Remote host tries to get access to your personal information.
    2 Warning!
    Virtumonde is an adware program that tends to monitor your Internet browsing habits and may display targeted advertisements onto your computer screen. Virtumonde may also create a malicious DLL file in order to log your keystrokes and send the recorded information to a third party website. Virtumonde is an unwanted application and recommended to be removed.
    3 Warning! New virus detected!
    Threat Detected: Keylogger.iSnake.Pro
    Infected File: C:\WINDOWS\system32\asr_ldm.exe
    4 Warning! Active Virus Detected!
    Threat Detected: Backdoor.Poison.BQA
    Infected file: [random file name]
    Action taken: Application Blocked
    Description: This backdoor arrives as attachment to email messages spammed by another malware or malicious user. This is a backdoor component of the Darkmoon RAT (Remote Administration Tool), via this backdoor hackers attempt to control your PC.
    5 About Internet Explorer Emergency Mode
    Your PC is infected with malicious software and browse couldn't be launched

    You may use Internet Explorer in Emergency mode - internal service browser of Microsoft Windows system with limited usability.

    Notice: Some sites refuse connection with Internet Explorer in Emergency Mode. In such case system warning page will be showed to you.

Loading...