Emerging Threat: AntiVirus 2009

I originally published this blog at http://community.ca.com/blogs/securityadvisor

November 10 2008, 02:40 PM         by         Benjamin Googins


We first started seeing copies of “AntiVirus 2009” in June of this year, but about two weeks ago the number of infections our Support team was seeing took a big jump.  At that time, our Support team reported it was the top infection customers were dealing with.  AntiVirus 2009 is part of a long lineage of rogue antispware applications that purport to be a security solution, but actually have no security functionality or value and are used as a criminal tool for extorting money from victims.  Its predecessor was AntiVirus 2008, which had a high infection rate and was a topper on our prevalence charts for over a month.

Infection Indicators The primary process showing up in Task Manager is “av2009.exe” located at C:\Program Files\Antivirus2009.  The infection aggressively opens popup windows when the computer is restarted and on regular time intervals that are supposed to look like a legitimate anti-virus product and indicate it is scanning the user’s computer for viruses (labeled “B” in the image above).  The infection also places an AntiVirus 2009 icon in the system tray (usually located on the bottom of the computer screen in the lower right corner) and opens small windows, titled “Warning: AntiVirus 2009 Alert!” from this location-repeatedly warning the user of system infections (labeled “C” in the image above).  The infection drops a shortcut on the infected computer’s desktop (labeled “A” in the image above.

Preventing Antivirus 2009 (and other infections) from infecting your system

  • Install a stand-alone firewall or activate the basic firewall included in Windows SP2 and Windows Vista.
  • Practice safe browsing techniques.
  • Exercise caution when opening email attachments.
  • Set up “automatic updates” for your operating system.
  • Keep your anti-malware product up to date.
  • Be sure the “active protection” feature is enabled on anti-malware product.

Remove Antivirus 2009 using your anti-malware product:

  1. Open the primary interface for your anti-malware product.
  2. Update the signature files for your anti-malware product.
  3. Run a comprehensive computer scan (“full”, “complete”, “all drives”, etc).
  4. Remove threat using your anti-malware product.
  5. Reboot the computer.

Tips related to Antivirus 2009

  • Do not pay any money to Antivirus 2009 to “activate” the product.  If you pay the $40.00 requested, the threat will not go away, but they will happily take your money and the cycle of extortion will continue.
  • It is possible you can use System Restore to restore your computer to a previous, uninfected state.  To learn more about System Restore, go here.
  • If you do not see any of the visual aspects of this threat, but your anti-malware product tells you it was detected and can’t remove it, the problem could be with System Restore archiving a copy of threat, see my previous blog entry here.

By: Benjamin Googins


Benjamin Googins is a senior engineer working on CA’s Anti-Spyware product. His primary functions include analyzing spyware and privacy breaches, fielding press inquiries, blogging and drafting documents. He has been a significant contributor to the User Permission document , Spyware Scorecard , Threat… Read More..

1 person has left a comment:

Please Sir I am not yet ready to by your product.

So let my  computer alone for now. I donot know how you get inn.And the worst of it all,you not give me any option. either to accept your offer or to delect you.you are the virus in my computer.trying to force me to buy product so that you can be the world richerst.my computer is always short dawn and the information is that i ve antivrius 2009 unregistered,which of course, i never subscribe or attempt to copy.you came inn.so please go Posted by: worren nicholas, January 8, 2009 5:42 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s