XP Home Security 2012

Posted: June 9, 2011

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	10/10
Infected PCs:	61

First Seen:	June 9, 2011
OS(es) Affected:	Windows

XP Home Security 2012 looks like an anti-virus and general security program, but XP Home Security 2012 actually is a threat that can only warn you about infections that don't exist. Besides creating these fake warnings, XP Home Security 2012 may also prevent you from using certain programs or take over your web browser to control which websites you can visit. XP Home Security 2012 can be removed by using real security software after you've avoided XP Home Security 2012's automatic startup routine by using Safe Mode or similar anti-malware tactics.

XP Home Security 2012 – Not Just a Threat to Windows XP

XP Home Security 2012 pretends to be a unique and individual anti-malware program, but XP Home Security 2012 is really a threat that's identical other rogue security programs like Antivirus 2008 Pro, Antivirus XP 2008, Windows Antivirus 2008, Vista Antivirus 2008, PC Clean Pro, Antivirus Pro 2009, Rogue.Vista Antivirus 2008, AntiSpy Safeguard, ThinkPoint, Spyware Protection 2010, Internet Antivirus 2011, Palladium Pro, XP Anti-Virus 2011, CleanThis, XP Security 2012 and AntiVirus PRO 2015.. Like most rogue security applications from the FakeRean family, XP Home Security 2012 relies on fake pop-ups and misleading system scan simulations, to make you believe that your PC is under attack by many threats.

However, threats that are detected by XP Home Security 2012 aren't real, and are generated from semi-random warning lists with examples like the following:

System warning!
Continue working in unprotected mode is very dangerous. Viruses can damage your confidential data and work on your computer. Click here to protect your computer.

System warning!
Security Essentials Ultimate Pack software detects programs that may compromise your privacy and harm your systems. It is highly recommended you scan your PC right now. Click here to start.

Security Alert!
Your computer is being attacked from a remote machine!
Block Internet access to your computer to prevent system infection.

Critical Warning!
Critical System Warning! Your system is probably infected with a version of Trojan-Spy.HTML.Visafraud.a. This may result in website access passwords being stolen from Internet Explorer, Mozilla Firefox, Outlook etc. Click Yes to scan and remove threats. (recommended)

If you attempt to detect these threats with other anti-malware programs, you'll notice that they will not show up. However, you may still experience malfunctions with programs that XP Home Security 2012 tells you are infected. This is purely due to XP Home Security 2012 blocking you from using the program. In many cases, renaming the program file to a generic file like 'explorer.exe' or 'iexplore.exe' will bypass XP Home Security 2012's program block list.

XP Home Security 2012's Browser-Based Warfare

In addition to blocking programs and faking anti-virus functions, XP Home Security 2012 may also engage in browser hijack attacks. These attacks can:

Change your browser settings. Any attempts to revert these changes will fail unless you also remove XP Home Security 2012. The most obvious change that you may see is your homepage being set to an unfamiliar and potentially malicious website.

Create advertisements. XP Home Security 2012 advertisements may be limited to audio, or they may encompass pop-ups and other visual displays. Since XP Home Security 2012 can run in the form of a hidden memory process, these advertisements may appear even if you think that your web browser is closed.

Create fake 'dangerous website' warnings and other errors that prevent you from visiting certain websites. XP Home Security 2012 and similar rogue security programs will use these fake errors to redirect you away from security-oriented sites while making you think that this is a security measure.

XP Home Security 2012 may also use other means to redirect you towards malicious websites that can steal your credit card number and other sensitive information. To prevent these attacks from happening, you can switch to Safe Mode, which will stop XP Home Security 2012's automatic startup.

Once XP Home Security 2012 isn't active, deleting XP Home Security 2012 by using suitable security programs should prove to be a simple task. Since XP Home Security 2012 is a new threat as of June 2011, it's advised that you update threat definitions for your software before launching a scan for XP Home Security 2012.

File System Modifications

The following files were created in the system:

#	File Name
1	%AllUsersProfile%\Application Data\u3f7pnvfncsjk2e86abfbj5h
2	%Documents and Settings%\[UserName]\Local Settings\Application Data\[RANDOM CHARACTERS]
3	%Documents and Settings%\[UserName]\Local Settings\Application Data\[RANDOM CHARACTERS].exe
4	%Documents and Settings%\[UserName]\Local Settings\Temp\[RANDOM CHARACTERS]
5	%Documents and Settings%\[UserName]\Templates\[RANDOM CHARACTERS]
6	%Documents and Settings%\All Users\Application Data\[RANDOM CHARACTERS]
7	%LocalAppData%\kdn.exe
8	%LocalAppData%\u3f7pnvfncsjk2e86abfbj5h
9	%Temp%\u3f7pnvfncsjk2e86abfbj5h
10	%UserProfile%\Templates\u3f7pnvfncsjk2e86abfbj5h

Registry Modifications

The following newly produced Registry Values are:
HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command “(Default)” = ‘”%Documents and Settings%\[UserName]\Local Settings\Application Data\[RANDOM CHARACTERS].exe” -a “%1? %*’HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command “(Default)” = ‘”%Documents and Settings%\[UserName]\Local Settings\Application Data\[RANDOM CHARACTERS].exe” -a “%1? %*’HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command “(Default)” = ‘”%Documents and Settings%\[UserName]\Local Settings\Application Data\[random].exe” -a “%Program Files%\Mozilla Firefox\firefox.exe”‘HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command “(Default)” = ‘”%Documents and Settings%\[UserName]\Local Settings\Application Data\[random].exe” -a “%Program Files%\Mozilla Firefox\firefox.exe” -safe-mode’HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “(Default)” = ‘”%Documents and Settings%\[UserName]\Local Settings\Application Data\[random].exee” -a “%Program Files%\Internet Explorer\iexplore.exe”‘HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center “AntiVirusOverride” = ’1?HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center “FirewallOverride” = ’1?HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation “TLDUpdates” = ’1?HKEY..\..\..\..{RegistryKeys}HKEY_CLASSES_ROOT\.exe\shell\open\command “(Default)” = ‘”%Documents and Settings%\[UserName]\Local Settings\Application Data\[RANDOM CHARACTERS].exe” -a “%1? %*’

One Comment

Lucia Gilles says:

April 20, 2012 at 11:29 am

XP Home Security 2012 was a pain. Now removed and PC is faster. Thanks