Fake AV avatars from a single file

XP Antispyware 2010, Antivirus XP 2010, XP Guardian 2010 – XP Guardian, XP Defender 2010, XP Antivirus, XP Antivirus 2010, XP Internet Security, XP Internet Security 2010-¦

Different names, same user interface and feel – same binary file. It makes sense. Why would scammers want to keep reinventing something that works with only a name change? Of course, it doesn’t fool all legitimate antivirus solutions, but it is certainly a cheap trick that can help.

Symantec demonstrates how a single binary can change the name of the application every time it’s executed:

And it shows us the proof:

Above is the screenshot of the memory dump of the executable. On the right is the list of names that is used by the different clones. The “%1” expression is replaced by “XP”, but can actually be replaced by anything – the “PC” variant has also been spotted.