April 18, 2011 By Andrew Brandt

Rogues of the Week: XP Total Security & MS Removal Tool

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

It’s been said that sunlight sanitizes almost everything it shines on. Beginning this week, and every week from now on, we’ll focus a concentrated beam on the rogue antivirus programs our support staff and Threat Research team have been working to remediate.

Rogues have a tendency to switch up their names, user interface, and other outward characteristics, while retaining most of the same internal functionality — and by functionality I mean the fraudulent tricks these forms of malware use to make it difficult for someone to identify them as malicious or remove them from an infected computer. It’s not as though the charlatans behind these scams (or their parents) ever made anything that was actually useful or desirable.

So for our inaugural Rogue of the Week post, we bring you notes on MS Removal Tool and XP Total Security, courtesy of Threat Research Analysts Brenden Vaughan and Stephen Ham.

MS Removal Tool

The most frequent infection this week has been the rogue security product MS Removal Tool, which is just the latest variant of the System Tool rogue. What a tool. Here’s what it looks like:

Support also mentioned seeing numerous cases of another rogue that goes by the names Windows Recovery, Windows Repair, or Windows Restore. All of these are “re-branded” versions of the same program.

None of these, obviously, are real Microsoft products, even though they use icons that look like the Microsoft Office logo:

It installs itself to the %appdata%Microsoft folder and is extremely randomized like other System Tool variants.

It also prevents all executable files from running once the rogue starts. However, if you run a sweep while Windows is in Safe Mode, we should be able to remove the infection.

Stephen Ham found that links in spam email led to a drive-by download of MS Removal Tool. The spam messages offered a “Free Discount Card” for…something. The scammer kind of ran out of steam at that point. Thanks for sending the stuff directly to us, crimeware distributor guy. It makes our jobs a lot easier.

Technical details:

Rogue executable is installed to (where <random> indicates an unpredictable jumble of letters and numbers that changes each time someone installs the rogue on a computer):

C:Documents and SettingsAll usersApplication Data<random><random>.exe

Rogue sets start points from the following Registry location(s):


<random>= C:Documents and SettingsAll usersApplication Data<random><random>.exe

— Vaughan & Ham

XP Total Security

The other rogue security products our support team has primarily seen this week have been variants of the rogue with a randomized, 3-character file name. According to analysts working with the rogue, its user interface and name varies, depending on the operating system you happen to be running.

Here’s the short list of names the rogue’s authors have come up with for this scam:

Windows XP Windows Vista Windows 7
XP Anti-Virus Vista Anti-Virus Win 7 Anti-Virus
XP Anti-Virus 2011 Vista Anti-Virus 2011 Win 7 Anti-Virus 2011
XP Anti-Spyware Vista Anti-Spyware Win 7 Anti-Spyware
XP Anti-Spyware 2011 Vista Anti-Spyware 2011 Win 7 Anti-Spyware 2011
XP Home Security Vista Home Security Win 7 Home Security
XP Home Security 2011 Vista Home Security 2011 Win 7 Home Security 2011
XP Total Security Vista Total Security Win 7 Total Security
XP Total Security 2011 Vista Total Security 2011 Win 7 Total Security 2011
XP Security Vista Security Win 7 Security
XP Security 2011 Vista Security 2011 Win 7 Security 2011
XP Internet Security Vista Internet Security Win 7 Internet Security
XP Internet Security 2011 Vista Internet Security 2011 Win 7 Internet Security 2011

— Vaughan

Webroot blog stats

Share Button


  1. […] Please click here to enter webroot’s threat blog to learn about those 2 rogue antivirus programs. GA_googleAddAttr("AdOpt", "1"); GA_googleAddAttr("Origin", "other"); GA_googleAddAttr("theme_bg", "000000"); GA_googleAddAttr("theme_border", "959596"); GA_googleAddAttr("theme_text", "B0B0B0"); GA_googleAddAttr("theme_link", "FD5A1E"); GA_googleAddAttr("LangId", "1"); GA_googleAddAttr("Autotag", "technology"); GA_googleAddAttr("Tag", "it-security"); GA_googleFillSlot("wpcom_below_post"); On the PopPressed Radar Print Magazine's New Visual Artists Saint Petersburg Unveils Primorskiy Zoological Park with Geodesic Domes What One Does In Paris if One is a Carter or Knowles […]

  2. […] This week, our support and advanced malware removal (AMR) team did not have a lot of new data to report about rogue security products. The most commonly encountered infection continues to be one of the rogues we reported about last week. […]