Windows Advanced Toolkit

By | June 22, 2012 | 0 Comment

Windows Advanced Toolkit is the latest variant of rogue program from a clan of FakeVimes. This clone of numerous versions uses a rootkit Trojan to spread a copy of itself. It may also use infected web sites and unsafe file-sharing network to get into your computer by chance. Moreover, Trojans may drop a redirect malware on your computer so that when you browse the web, it may redirect you to the location of the fake antivirus.

Once Windows Advanced Toolkit is installed, it will imitate the process of real antivirus program. This fake one will begin to pronounce several security risks via system tray. Additionally, it will highlight scan and detection method that will end in a parade of identified virus infection. This detection by Windows Advanced Toolkit is fictitious. It is observed since the first release of the first variant, that all clones are showing identical results. It only denotes that its scanning process is more likely of playing a movie on your PC. It never scans. All alerts you will notice are pre-programmed with the malware ever since regardless of the variant.

If you see that this rogue software is taking a part on your computer, immediately run a scan using real antivirus program. Another scan with anti-malware software may be a big help in removing other components dropped by Windows Advanced Toolkit.

Type Rogue
Sub-Type FakeAV
OS Affected Windows

What are the Symptoms of Windows Advanced Toolkit Infection?

Look at the image below. This is what you can see on the computer once it is infected with Windows Advanced Toolkit. It scans and detects a number of threats even though PC is clean.

Windows Advanced Toolkit Scanner

It will modify Windows Registry and add the following entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegedit” = 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Run “Inspector”
HKCU\Software\Microsoft\Windows\CurrentVersion\Settings “net” = “u_2012-5-24_6”
HKCU\Software\Microsoft\Windows\CurrentVersion\Settings “UID” = “mksuciepos”
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\amshewin.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SafetyKeeper.exe

The threat will drop the following malicious files:
%AppData%\NPSWF32.dll
%AppData%\Protector-[random 3 characters].exe
%AppData%\Protector-[random 4 characters].exe
%AppData%\result.db
%CommonStartMenu%\Programs\Windows Advanced Toolkit .lnk
%Desktop%\Windows Advanced Toolkit .lnk

Leave a Reply

Your email address will not be published. Required fields are marked *