Paladin Antivirus

Paladin Antivirus belongs to a group of rogue software and is related to Malware Defense, comparing the similarity between the programs. The program operates through scareware methods, attempting to scare the victim that his computer is infected, thus persuading to purchase rogue program, which is supposed to remove computer infections. This is done by the corrupt Paladin Antivirus scanner, which detects legal Windows files as threats or files that have been dropped by the program itself (e.g. cookie files). Also various false messages are used, which warn user about possible dangers (Network attack detected, Keylogger detected, etc.).

Paladin Antivirus is accompanied by fake Windows Security Center, which will display alerts about detected threats and ask user whether he wants to block them. These messages recall the original Windows messages, so it may look like legitimate warnings for a less experienced computer user, what encourages towards the purchase of rogue license. Some examples of Security Center Alerts:

• Backdoor.Win32.Agent.ich | This Trojan provides a remote malicious user with access to the victim machine. It is a Windows PE EXE file. It is 48640 bytes in size. It is packed using UPX. The unpacked file is approximately 360KB in size.
• Rootkit.Win32.Agent.pp | This Trojan masks its presence in the system from users and from other programs. It is a Windows PE SYS file. It is 40960 bytes in size. It is not packed in any way. It is written in C.
• Backdoor.Win32.Kbot.al | This Trojan provides a remote malicious user with access to the victim machine. It is a Windows PE EXE file. It is 12787 bytes in size.
• Net-Worm.Win32.DipNet.d | DipNet.d infects computers running under Windows. The worm itself is a Windows PE EXE file approximately 91KB in size, packed using UPX. The unpacked file is approximately 264KB in size. The worm propagates by exploiting a vulnerability in Microsoft Windows LSASS (MS04-011).
• Net-Worm.Win32.Mytob.t | This network worm infects computers running Windows. The worm itself is a Windows PE EXE file, written in Visual C++. The file may be packed with one of a range of packers, and the size of the infected file may therefore vary. The packed file is approximately 47KB or greater in size, and the unpacked file is approximately 150KB to 260KB in size.

Paladin Antivirus will display warning, which will falsely alert user that some process is trying to seal facebook.com, paypal.com, gmail.com, ***bank***.com passwords. Another fake warning will state that PDM.Keylogger is trying to redirect keyboard input. All of these warnings will suggest user to click the button below in order to block and remove threats. By pressing the button, a notice window will pop asking user to upgrade to full-functional Paladin Antivirus version. Finally, Paladin Antivirus Safebrowser will be launched, suggesting user to fill an Order Form and make a secure purchase. Do not enter any credit card details and other confidential information or try to buy the program, because Paladin Antivirus is a rogue program and will not remove any of real threats.