Content

Generic FakeAlert.a

Type
Trojan
SubType
Win32
Discovery Date
10/25/2007
Length
Varies
Minimum DAT
5294 (05/13/2008)
Updated DAT
5488 (01/07/2009)
Minimum Engine
5.1.00
Description Added
10/25/2007
Description Modified
05/13/2008 9:11 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Generic FakeAlert.a will silently install Antivirus2008 and run a virus scan on the system. It will falsely claims that it found viruses and will require the user to register the product to clean the system.


The following registry keys are added or modified:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\VerStr: "1.0.2.8"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\VerInt: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\Cnt: "PE"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\Lng: "ch"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\UnInsAct: 0x00000023
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\MAbbr: "ANT"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\Type: "exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\FoundCount: 0x0000002B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\FoundInfo
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\PID: "1AB6B0E7B6E0B7B1E2B1BDE8BCBABFE8BAF6A0F0F0F0F7A7F3A8FDA9AAAAAAA6"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\FirstRun: 0x00000000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\Root: "C:\Program Files\Antivirus 2008"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\ExeFileName: "Antvrs.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\TIns
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\: "AutoStart-done"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\aid: "keyin"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\affid: "keyin"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\lid: "keyin"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Antivirus: "C:\Program Files\Antivirus 2008\Antvrs.exe"
  • HKEY_CURRENT_USER\Software\Antivirus\VerStr: "1.0.2.8"
  • HKEY_CURRENT_USER\Software\Antivirus\VerInt: 0x00000001
  • HKEY_CURRENT_USER\Software\Antivirus\Cnt: "PE"
  • HKEY_CURRENT_USER\Software\Antivirus\Lng: "ch"
  • HKEY_CURRENT_USER\Software\Antivirus\UnInsAct: 0x00000023
  • HKEY_CURRENT_USER\Software\Antivirus\MAbbr: "ANT"
  • HKEY_CURRENT_USER\Software\Antivirus\Type: "exe"
  • HKEY_CURRENT_USER\Software\Antivirus\FoundCount: 0x0000002B
  • HKEY_CURRENT_USER\Software\Antivirus\FoundInfo
  • HKEY_CURRENT_USER\Software\Antivirus\PID: "1AB6B0E7B6E0B7B1E2B1BDE8BCBABFE8BAF6A0F0F0F0F7A7F3A8FDA9AAAAAAA6"
  • HKEY_CURRENT_USER\Software\Antivirus\FirstRun: 0x00000000
  • HKEY_CURRENT_USER\Software\Antivirus\Root: "C:\Program Files\Antivirus 2008"
  • HKEY_CURRENT_USER\Software\Antivirus\ExeFileName: "Antvrs.exe"
  • HKEY_CURRENT_USER\Software\Antivirus\TIns
  • HKEY_CURRENT_USER\Software\Antivirus\: "AutoStart-done"
  • HKEY_CURRENT_USER\Software\Antivirus\aid: "keyin"
  • HKEY_CURRENT_USER\Software\Antivirus\affid: "keyin"
  • HKEY_CURRENT_USER\Software\Antivirus\lid: "keyin"

The following files are added:

  • %DOCSETTINGS%\Start Menu\Antivirus\Antivirus 2008.lnk
  • %DOCSETTINGS%\Start Menu\Antivirus\Uninstall Antivirus.lnk
  • %PROGRAMFILES%\Antivirus 2008\Antvrs.exe

The following folder is created:

  • %DOCSETTINGS%\Application Data\Antivirus

(where %PROGRAMFILES% is the Windows program folder e.g. C:\Program Files, %DOCSETTINGS% is the Documents and Settings folder e.g C:\Documents and Setting\username)

The following domains are accessed:

  • antivirus2008x.com
  • 72-9-10 8-82.reverse.ezz i.net.

Symptoms

  • Presence of previously mentioned registry entries
  • Presence of previously mentioned files
  • Presence of unexpected network connections to previously mentioned domains

Method of Infection

Trojan do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include spam emails, IRC, P2P networks, newsgroup postings, etc.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

Generic FakeAlert.a will silently install Antivirus2008 and run a virus scan on the system. It will falsely claims that it found viruses and will require the user to register the product to clean the system.

Characteristics

Characteristics -

Generic FakeAlert.a will silently install Antivirus2008 and run a virus scan on the system. It will falsely claims that it found viruses and will require the user to register the product to clean the system.


The following registry keys are added or modified:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\VerStr: "1.0.2.8"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\VerInt: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\Cnt: "PE"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\Lng: "ch"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\UnInsAct: 0x00000023
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\MAbbr: "ANT"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\Type: "exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\FoundCount: 0x0000002B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\FoundInfo
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\PID: "1AB6B0E7B6E0B7B1E2B1BDE8BCBABFE8BAF6A0F0F0F0F7A7F3A8FDA9AAAAAAA6"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\FirstRun: 0x00000000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\Root: "C:\Program Files\Antivirus 2008"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\ExeFileName: "Antvrs.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\TIns
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\: "AutoStart-done"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\aid: "keyin"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\affid: "keyin"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\lid: "keyin"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Antivirus: "C:\Program Files\Antivirus 2008\Antvrs.exe"
  • HKEY_CURRENT_USER\Software\Antivirus\VerStr: "1.0.2.8"
  • HKEY_CURRENT_USER\Software\Antivirus\VerInt: 0x00000001
  • HKEY_CURRENT_USER\Software\Antivirus\Cnt: "PE"
  • HKEY_CURRENT_USER\Software\Antivirus\Lng: "ch"
  • HKEY_CURRENT_USER\Software\Antivirus\UnInsAct: 0x00000023
  • HKEY_CURRENT_USER\Software\Antivirus\MAbbr: "ANT"
  • HKEY_CURRENT_USER\Software\Antivirus\Type: "exe"
  • HKEY_CURRENT_USER\Software\Antivirus\FoundCount: 0x0000002B
  • HKEY_CURRENT_USER\Software\Antivirus\FoundInfo
  • HKEY_CURRENT_USER\Software\Antivirus\PID: "1AB6B0E7B6E0B7B1E2B1BDE8BCBABFE8BAF6A0F0F0F0F7A7F3A8FDA9AAAAAAA6"
  • HKEY_CURRENT_USER\Software\Antivirus\FirstRun: 0x00000000
  • HKEY_CURRENT_USER\Software\Antivirus\Root: "C:\Program Files\Antivirus 2008"
  • HKEY_CURRENT_USER\Software\Antivirus\ExeFileName: "Antvrs.exe"
  • HKEY_CURRENT_USER\Software\Antivirus\TIns
  • HKEY_CURRENT_USER\Software\Antivirus\: "AutoStart-done"
  • HKEY_CURRENT_USER\Software\Antivirus\aid: "keyin"
  • HKEY_CURRENT_USER\Software\Antivirus\affid: "keyin"
  • HKEY_CURRENT_USER\Software\Antivirus\lid: "keyin"

The following files are added:

  • %DOCSETTINGS%\Start Menu\Antivirus\Antivirus 2008.lnk
  • %DOCSETTINGS%\Start Menu\Antivirus\Uninstall Antivirus.lnk
  • %PROGRAMFILES%\Antivirus 2008\Antvrs.exe

The following folder is created:

  • %DOCSETTINGS%\Application Data\Antivirus

(where %PROGRAMFILES% is the Windows program folder e.g. C:\Program Files, %DOCSETTINGS% is the Documents and Settings folder e.g C:\Documents and Setting\username)

The following domains are accessed:

  • antivirus2008x.com
  • 72-9-10 8-82.reverse.ezz i.net.

Symptoms

Symptoms -

  • Presence of previously mentioned registry entries
  • Presence of previously mentioned files
  • Presence of unexpected network connections to previously mentioned domains

Method of Infection

Method of Infection -

Trojan do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include spam emails, IRC, P2P networks, newsgroup postings, etc.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A