Content

Generic FakeAlert.a

Type
Trojan
SubType
Win32
Discovery Date
10/25/2007
Length
Varies
Minimum DAT
5294 (05/13/2008)
Updated DAT
6548 (12/02/2011)
Minimum Engine
5.4.00
Description Added
10/25/2007
Description Modified
04/06/2011 4:30 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update April 07, 2010 --

File Information

  • MD5  -  C5259232B455F00AD668B9B12D5A6E0B
  • SHA  - 3927EA4EE9A5521F6661EC2C039DB7EF1BD75539

Aliases

  • AVG            - Dropper.Generic3.AYNL
  • NOD32        - a variant of Win32/Injector.FQG
  • TrendMicro - TROJ_FAKEAV.III
  • Microsoft    - Rogue:Win32/FakeRean

This description is for malware that shows false error messages, misleading spyware scan results, and uses aggressive advertising to persuade the user to purchase it.

Generic Fakealert.a will silently XP security 2011 and run a virus scan on the system. It will falsely claims that it found viruses and will require the user to register the product to clean the system.

When executed, the Trojan drops the following files:

  • %Userprofile%\Local Settings\Application Data\61am7kh612rw85n14158n8334sb5378m1c5h32
  • %Userprofile%\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
  • %Temp%\61am7kh612rw85n14158n8334sb5378m1c5h32
  • %Userprofile%\Templates\61am7kh612rw85n14158n8334sb5378m1c5h32
  • %Systemdrive%\Documents and Settings\All Users\Application Data\61am7kh612rw85n14158n8334sb5378m1c5h32

The following registry key has been added to the system.

  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\GDIPlus
  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Classes\.exe
  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Classes\exefile
  • HKEY_CURRENT_USER\S-1-(Varies)_Classes\.exe
  • HKEY_CURRENT_USER\S-1-(Varies)_Classes\exefile

The following registry value has been added.

  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Classes\.exe\shell\open\command\: ""C:\Documents and Settings\Administrator\Desktop\nid.exe" -a "%1" %*"
  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Classes\exefile\shell\open\command\: ""C:\Documents and Settings\Administrator\Desktop\nid.exe" -a "%1" %*"
  • HKEY_CURRENT_USER\S-1-(Varies)_Classes\.exe\shell\open\command\: ""C:\Documents and Settings\Administrator\Desktop\nid.exe" -a "%1" %*"
  • HKEY_CURRENT_USER\S-1-(Varies)_Classes\exefile\shell\open\command\: ""C:\Documents and Settings\Administrator\Desktop\nid.exe" -a "%1" %*"

The above mentioned registry ensures that, the Trojan registers with the compromised system and execute itself whenever user tries to open Executable files.

The following registry values have been modified.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\: ""C:\Documents and Settings\Administrator\Desktop\nid.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\: ""C:\Documents and Settings\Administrator\Desktop\nid.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\: ""C:\Documents and Settings\Administrator\Desktop\nid.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe""

The above registry entry confirms that when ever user tries to open any browser like Firefox, IExplorer.exe applications, the Trojan will executes immediately.

[%UserProfile% is c:\Documents and Settings\Administrator\, %Temp% is C:\Documents and Settings\Administrator\Local Settings\Temp\ and %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

-- Update March 01, 2010 --

New variants of this thread have been discovered which takes advantage of the 'Killer Whale tragedy'. This variants download and install Security Antivirus, and run a system scan on the system. It will falsely claims that it found viruses and will require the user to register the product to clean the system.

Upon execution, the malware shows the following behavior:

  • Report the infection to the following URL:

http://secure-[removed].in/Reports/MicroinstallServiceReport.php?p=[hash]

where [hash] represent a string with the victim's identification hash

  • Download Security Antivirus trojan from the following URL:

http://secure[removed].in/index.php?controller=microinstaller&abbr=SAV&setupType=xp&ttl=21124369cb8&pid=

This malware is also detected as Generic FakeAlert.a

  • Contact the following domains:

protected[removed].in
[removed]antivirus.net
[removed]-securepayment.com
save-[removed].com
payment[removed].net

  • Create the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SAV = %DOCSETTINGS%\All Users\Application Data\30731ba\LivePCGuard.exe /s
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\SAV = %TEMP%\[filename].exe /cs:1

(where %DOCSETTINGS% is the Documents and Settings folder e.g C:\Documents and Setting, and %TEMP% is the temporary directory, e.g %DOCSETTINGS%\Local Settings\Temp. [filename] is the name by which the trojan was executed)


Once executed, Security Antivirus performs the following actions:

  • Shows the screen below, claiming the system is infected and requesting the user to register the trojan to clean the machine:

  • Change the Image File Execution Options for several antivirus and security tools binaries. This effectively stop these files from executing
  • Changes internet Explorer default search engine to the following value:
    http://find[removed].com/?&uid=7&q={searchTerms}
  • Change the proxy configuration for Internet Explorer to point to the following URL:
    http://127.0.0.1:27777/?inj=%ORIGINAL%
  • Enable the execution of binaries with invalid signatures
  • Drop the following files:

%DOCSETTINGS%\All Users\Application Data\a7eb7\SAee2.exe
%DOCSETTINGS%\All Users\Application Data\a7eb7\SAV.ico
%DOCSETTINGS%\All Users\Application Data\SAMRBILV\SAEGJV.cfg
%DOCSETTINGS%\username\Application Data\Microsoft\Internet Explorer\Quick Launch\Security Antivirus.lnk
%DOCSETTINGS%\username\Application Data\Security Antivirus\Instructions.ini
%DOCSETTINGS%\username\Start Menu\Programs\Security Antivirus.lnk
%DOCSETTINGS%\username\Start Menu\Security Antivirus.lnk
%DOCSETTINGS%\username\Recent\ANTIGEN.sys
%DOCSETTINGS%\username\Recent\DBOLE.dll
%DOCSETTINGS%\username\Recent\eb.tmp
%DOCSETTINGS%\username\Recent\exec.dll
%DOCSETTINGS%\username\Recent\exec.drv
%DOCSETTINGS%\username\Recent\fix.sys
%DOCSETTINGS%\username\Recent\kernel32.exe
%DOCSETTINGS%\username\Recent\PE.drv
%DOCSETTINGS%\username\Recent\PE.exe
%DOCSETTINGS%\username\Recent\ppal.dll
%DOCSETTINGS%\username\Recent\runddlkey.exe
%DOCSETTINGS%\username\Recent\SICKBOY.exe
%DOCSETTINGS%\username\Recent\sld.exe
%DOCSETTINGS%\username\Recent\SM.tmp
%DOCSETTINGS%\username\Recent\snl2w.drv
%DOCSETTINGS%\username\Recent\tjd.tmp

  • Add the following entries to %WINDOWS\system32\drivers\etc\hosts

74.125.45.100 4-open-davinci.com
74.125.45.100 securitysoftwarepayments.com
74.125.45.100 privatesecuredpayments.com
74.125.45.100 secure.privatesecuredpayments.com
74.125.45.100 getantivirusplusnow.com
74.125.45.100 secure-plus-payments.com
74.125.45.100 www.getantivirusplusnow.com
74.125.45.100 www.secure-plus-payments.com
74.125.45.100 www.getavplusnow.com
74.125.45.100 safebrowsing-cache.google.com
74.125.45.100 urs.microsoft.com
74.125.45.100 www.securesoftwarebill.com
74.125.45.100 secure.paysecuresystem.com
74.125.45.100 paysoftbillsolution.com
74.125.45.100 protected.maxisoftwaremart.com
88.198.198.206 www.google.com
88.198.198.206 google.com
88.198.198.206 google.com.au
88.198.198.206 www.google.com.au
88.198.198.206 google.be
88.198.198.206 www.google.be
88.198.198.206 google.com.br
88.198.198.206 www.google.com.br
88.198.198.206 google.ca
88.198.198.206 www.google.ca
88.198.198.206 google.ch
88.198.198.206 www.google.ch
88.198.198.206 google.de
88.198.198.206 www.google.de
88.198.198.206 google.dk
88.198.198.206 www.google.dk
88.198.198.206 google.fr
88.198.198.206 www.google.fr
88.198.198.206 google.ie
88.198.198.206 www.google.ie
88.198.198.206 google.it
88.198.198.206 www.google.it
88.198.198.206 google.co.jp
88.198.198.206 www.google.co.jp
88.198.198.206 google.nl
88.198.198.206 www.google.nl
88.198.198.206 google.no
88.198.198.206 www.google.no
88.198.198.206 google.co.nz
88.198.198.206 www.google.co.nz
88.198.198.206 google.pl
88.198.198.206 www.google.pl
88.198.198.206 google.se
88.198.198.206 www.google.se
88.198.198.206 google.co.uk
88.198.198.206 www.google.co.uk
88.198.198.206 google.co.za
88.198.198.206 www.google.co.za
88.198.198.206 www.google-analytics.com
88.198.198.206 www.bing.com
88.198.198.206 search.yahoo.com
88.198.198.206 www.search.yahoo.com
88.198.198.206 uk.search.yahoo.com
88.198.198.206 ca.search.yahoo.com
88.198.198.206 de.search.yahoo.com
88.198.198.206 fr.search.yahoo.com
88.198.198.206 au.search.yahoo.com

--

 

Generic FakeAlert.a will silently install Antivirus2008 and run a virus scan on the system. It will falsely claims that it found viruses and will require the user to register the product to clean the system.


The following registry keys are added or modified:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\VerStr: "1.0.2.8"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\VerInt: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\Cnt: "PE"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\Lng: "ch"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\UnInsAct: 0x00000023
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\MAbbr: "ANT"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\Type: "exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\FoundCount: 0x0000002B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\FoundInfo
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\PID: "1AB6B0E7B6E0B7B1E2B1BDE8BCBABFE8BAF6A0F0F0F0F7A7F3A8FDA9AAAAAAA6"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\FirstRun: 0x00000000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\Root: "C:\Program Files\Antivirus 2008"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\ExeFileName: "Antvrs.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\TIns
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\: "AutoStart-done"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\aid: "keyin"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\affid: "keyin"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\lid: "keyin"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Antivirus: "C:\Program Files\Antivirus 2008\Antvrs.exe"
  • HKEY_CURRENT_USER\Software\Antivirus\VerStr: "1.0.2.8"
  • HKEY_CURRENT_USER\Software\Antivirus\VerInt: 0x00000001
  • HKEY_CURRENT_USER\Software\Antivirus\Cnt: "PE"
  • HKEY_CURRENT_USER\Software\Antivirus\Lng: "ch"
  • HKEY_CURRENT_USER\Software\Antivirus\UnInsAct: 0x00000023
  • HKEY_CURRENT_USER\Software\Antivirus\MAbbr: "ANT"
  • HKEY_CURRENT_USER\Software\Antivirus\Type: "exe"
  • HKEY_CURRENT_USER\Software\Antivirus\FoundCount: 0x0000002B
  • HKEY_CURRENT_USER\Software\Antivirus\FoundInfo
  • HKEY_CURRENT_USER\Software\Antivirus\PID: "1AB6B0E7B6E0B7B1E2B1BDE8BCBABFE8BAF6A0F0F0F0F7A7F3A8FDA9AAAAAAA6"
  • HKEY_CURRENT_USER\Software\Antivirus\FirstRun: 0x00000000
  • HKEY_CURRENT_USER\Software\Antivirus\Root: "C:\Program Files\Antivirus 2008"
  • HKEY_CURRENT_USER\Software\Antivirus\ExeFileName: "Antvrs.exe"
  • HKEY_CURRENT_USER\Software\Antivirus\TIns
  • HKEY_CURRENT_USER\Software\Antivirus\: "AutoStart-done"
  • HKEY_CURRENT_USER\Software\Antivirus\aid: "keyin"
  • HKEY_CURRENT_USER\Software\Antivirus\affid: "keyin"
  • HKEY_CURRENT_USER\Software\Antivirus\lid: "keyin"

The following files are added:

  • %DOCSETTINGS%\Start Menu\Antivirus\Antivirus 2008.lnk
  • %DOCSETTINGS%\Start Menu\Antivirus\Uninstall Antivirus.lnk
  • %PROGRAMFILES%\Antivirus 2008\Antvrs.exe

The following folder is created:

  • %DOCSETTINGS%\Application Data\Antivirus

(where %PROGRAMFILES% is the Windows program folder e.g. C:\Program Files, %DOCSETTINGS% is the Documents and Settings folder e.g C:\Documents and Setting\username)

The following domains are accessed:

  • antivirus2008x.com
  • 72-9-10 8-82.reverse.ezz i.net.

Symptoms

  • Presence of previously mentioned registry entries
  • Presence of previously mentioned files
  • Presence of unexpected network connections to previously mentioned domains

Method of Infection

Trojan do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include spam emails, IRC, P2P networks, newsgroup postings, etc.

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

Variants

    N/A

All Information

Overview -

-- Update February 26, 2010 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2010/02/25/killer_whale_scareware/
--
Generic FakeAlert.a will silently install Antivirus2008 and run a virus scan on the system. It will falsely claims that it found viruses and will require the user to register the product to clean the system.

Characteristics

Characteristics -

-- Update April 07, 2010 --

File Information

  • MD5  -  C5259232B455F00AD668B9B12D5A6E0B
  • SHA  - 3927EA4EE9A5521F6661EC2C039DB7EF1BD75539

Aliases

  • AVG            - Dropper.Generic3.AYNL
  • NOD32        - a variant of Win32/Injector.FQG
  • TrendMicro - TROJ_FAKEAV.III
  • Microsoft    - Rogue:Win32/FakeRean

This description is for malware that shows false error messages, misleading spyware scan results, and uses aggressive advertising to persuade the user to purchase it.

Generic Fakealert.a will silently XP security 2011 and run a virus scan on the system. It will falsely claims that it found viruses and will require the user to register the product to clean the system.

When executed, the Trojan drops the following files:

  • %Userprofile%\Local Settings\Application Data\61am7kh612rw85n14158n8334sb5378m1c5h32
  • %Userprofile%\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
  • %Temp%\61am7kh612rw85n14158n8334sb5378m1c5h32
  • %Userprofile%\Templates\61am7kh612rw85n14158n8334sb5378m1c5h32
  • %Systemdrive%\Documents and Settings\All Users\Application Data\61am7kh612rw85n14158n8334sb5378m1c5h32

The following registry key has been added to the system.

  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\GDIPlus
  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Classes\.exe
  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Classes\exefile
  • HKEY_CURRENT_USER\S-1-(Varies)_Classes\.exe
  • HKEY_CURRENT_USER\S-1-(Varies)_Classes\exefile

The following registry value has been added.

  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Classes\.exe\shell\open\command\: ""C:\Documents and Settings\Administrator\Desktop\nid.exe" -a "%1" %*"
  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Classes\exefile\shell\open\command\: ""C:\Documents and Settings\Administrator\Desktop\nid.exe" -a "%1" %*"
  • HKEY_CURRENT_USER\S-1-(Varies)_Classes\.exe\shell\open\command\: ""C:\Documents and Settings\Administrator\Desktop\nid.exe" -a "%1" %*"
  • HKEY_CURRENT_USER\S-1-(Varies)_Classes\exefile\shell\open\command\: ""C:\Documents and Settings\Administrator\Desktop\nid.exe" -a "%1" %*"

The above mentioned registry ensures that, the Trojan registers with the compromised system and execute itself whenever user tries to open Executable files.

The following registry values have been modified.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\: ""C:\Documents and Settings\Administrator\Desktop\nid.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\: ""C:\Documents and Settings\Administrator\Desktop\nid.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\: ""C:\Documents and Settings\Administrator\Desktop\nid.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe""

The above registry entry confirms that when ever user tries to open any browser like Firefox, IExplorer.exe applications, the Trojan will executes immediately.

[%UserProfile% is c:\Documents and Settings\Administrator\, %Temp% is C:\Documents and Settings\Administrator\Local Settings\Temp\ and %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

-- Update March 01, 2010 --

New variants of this thread have been discovered which takes advantage of the 'Killer Whale tragedy'. This variants download and install Security Antivirus, and run a system scan on the system. It will falsely claims that it found viruses and will require the user to register the product to clean the system.

Upon execution, the malware shows the following behavior:

  • Report the infection to the following URL:

http://secure-[removed].in/Reports/MicroinstallServiceReport.php?p=[hash]

where [hash] represent a string with the victim's identification hash

  • Download Security Antivirus trojan from the following URL:

http://secure[removed].in/index.php?controller=microinstaller&abbr=SAV&setupType=xp&ttl=21124369cb8&pid=

This malware is also detected as Generic FakeAlert.a

  • Contact the following domains:

protected[removed].in
[removed]antivirus.net
[removed]-securepayment.com
save-[removed].com
payment[removed].net

  • Create the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SAV = %DOCSETTINGS%\All Users\Application Data\30731ba\LivePCGuard.exe /s
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\SAV = %TEMP%\[filename].exe /cs:1

(where %DOCSETTINGS% is the Documents and Settings folder e.g C:\Documents and Setting, and %TEMP% is the temporary directory, e.g %DOCSETTINGS%\Local Settings\Temp. [filename] is the name by which the trojan was executed)


Once executed, Security Antivirus performs the following actions:

  • Shows the screen below, claiming the system is infected and requesting the user to register the trojan to clean the machine:

  • Change the Image File Execution Options for several antivirus and security tools binaries. This effectively stop these files from executing
  • Changes internet Explorer default search engine to the following value:
    http://find[removed].com/?&uid=7&q={searchTerms}
  • Change the proxy configuration for Internet Explorer to point to the following URL:
    http://127.0.0.1:27777/?inj=%ORIGINAL%
  • Enable the execution of binaries with invalid signatures
  • Drop the following files:

%DOCSETTINGS%\All Users\Application Data\a7eb7\SAee2.exe
%DOCSETTINGS%\All Users\Application Data\a7eb7\SAV.ico
%DOCSETTINGS%\All Users\Application Data\SAMRBILV\SAEGJV.cfg
%DOCSETTINGS%\username\Application Data\Microsoft\Internet Explorer\Quick Launch\Security Antivirus.lnk
%DOCSETTINGS%\username\Application Data\Security Antivirus\Instructions.ini
%DOCSETTINGS%\username\Start Menu\Programs\Security Antivirus.lnk
%DOCSETTINGS%\username\Start Menu\Security Antivirus.lnk
%DOCSETTINGS%\username\Recent\ANTIGEN.sys
%DOCSETTINGS%\username\Recent\DBOLE.dll
%DOCSETTINGS%\username\Recent\eb.tmp
%DOCSETTINGS%\username\Recent\exec.dll
%DOCSETTINGS%\username\Recent\exec.drv
%DOCSETTINGS%\username\Recent\fix.sys
%DOCSETTINGS%\username\Recent\kernel32.exe
%DOCSETTINGS%\username\Recent\PE.drv
%DOCSETTINGS%\username\Recent\PE.exe
%DOCSETTINGS%\username\Recent\ppal.dll
%DOCSETTINGS%\username\Recent\runddlkey.exe
%DOCSETTINGS%\username\Recent\SICKBOY.exe
%DOCSETTINGS%\username\Recent\sld.exe
%DOCSETTINGS%\username\Recent\SM.tmp
%DOCSETTINGS%\username\Recent\snl2w.drv
%DOCSETTINGS%\username\Recent\tjd.tmp

  • Add the following entries to %WINDOWS\system32\drivers\etc\hosts

74.125.45.100 4-open-davinci.com
74.125.45.100 securitysoftwarepayments.com
74.125.45.100 privatesecuredpayments.com
74.125.45.100 secure.privatesecuredpayments.com
74.125.45.100 getantivirusplusnow.com
74.125.45.100 secure-plus-payments.com
74.125.45.100 www.getantivirusplusnow.com
74.125.45.100 www.secure-plus-payments.com
74.125.45.100 www.getavplusnow.com
74.125.45.100 safebrowsing-cache.google.com
74.125.45.100 urs.microsoft.com
74.125.45.100 www.securesoftwarebill.com
74.125.45.100 secure.paysecuresystem.com
74.125.45.100 paysoftbillsolution.com
74.125.45.100 protected.maxisoftwaremart.com
88.198.198.206 www.google.com
88.198.198.206 google.com
88.198.198.206 google.com.au
88.198.198.206 www.google.com.au
88.198.198.206 google.be
88.198.198.206 www.google.be
88.198.198.206 google.com.br
88.198.198.206 www.google.com.br
88.198.198.206 google.ca
88.198.198.206 www.google.ca
88.198.198.206 google.ch
88.198.198.206 www.google.ch
88.198.198.206 google.de
88.198.198.206 www.google.de
88.198.198.206 google.dk
88.198.198.206 www.google.dk
88.198.198.206 google.fr
88.198.198.206 www.google.fr
88.198.198.206 google.ie
88.198.198.206 www.google.ie
88.198.198.206 google.it
88.198.198.206 www.google.it
88.198.198.206 google.co.jp
88.198.198.206 www.google.co.jp
88.198.198.206 google.nl
88.198.198.206 www.google.nl
88.198.198.206 google.no
88.198.198.206 www.google.no
88.198.198.206 google.co.nz
88.198.198.206 www.google.co.nz
88.198.198.206 google.pl
88.198.198.206 www.google.pl
88.198.198.206 google.se
88.198.198.206 www.google.se
88.198.198.206 google.co.uk
88.198.198.206 www.google.co.uk
88.198.198.206 google.co.za
88.198.198.206 www.google.co.za
88.198.198.206 www.google-analytics.com
88.198.198.206 www.bing.com
88.198.198.206 search.yahoo.com
88.198.198.206 www.search.yahoo.com
88.198.198.206 uk.search.yahoo.com
88.198.198.206 ca.search.yahoo.com
88.198.198.206 de.search.yahoo.com
88.198.198.206 fr.search.yahoo.com
88.198.198.206 au.search.yahoo.com

--

 

Generic FakeAlert.a will silently install Antivirus2008 and run a virus scan on the system. It will falsely claims that it found viruses and will require the user to register the product to clean the system.


The following registry keys are added or modified:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\VerStr: "1.0.2.8"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\VerInt: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\Cnt: "PE"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\Lng: "ch"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\UnInsAct: 0x00000023
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\MAbbr: "ANT"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\Type: "exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\FoundCount: 0x0000002B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\FoundInfo
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\PID: "1AB6B0E7B6E0B7B1E2B1BDE8BCBABFE8BAF6A0F0F0F0F7A7F3A8FDA9AAAAAAA6"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\FirstRun: 0x00000000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\Root: "C:\Program Files\Antivirus 2008"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\ExeFileName: "Antvrs.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\TIns
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\: "AutoStart-done"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\aid: "keyin"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\affid: "keyin"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus\lid: "keyin"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Antivirus: "C:\Program Files\Antivirus 2008\Antvrs.exe"
  • HKEY_CURRENT_USER\Software\Antivirus\VerStr: "1.0.2.8"
  • HKEY_CURRENT_USER\Software\Antivirus\VerInt: 0x00000001
  • HKEY_CURRENT_USER\Software\Antivirus\Cnt: "PE"
  • HKEY_CURRENT_USER\Software\Antivirus\Lng: "ch"
  • HKEY_CURRENT_USER\Software\Antivirus\UnInsAct: 0x00000023
  • HKEY_CURRENT_USER\Software\Antivirus\MAbbr: "ANT"
  • HKEY_CURRENT_USER\Software\Antivirus\Type: "exe"
  • HKEY_CURRENT_USER\Software\Antivirus\FoundCount: 0x0000002B
  • HKEY_CURRENT_USER\Software\Antivirus\FoundInfo
  • HKEY_CURRENT_USER\Software\Antivirus\PID: "1AB6B0E7B6E0B7B1E2B1BDE8BCBABFE8BAF6A0F0F0F0F7A7F3A8FDA9AAAAAAA6"
  • HKEY_CURRENT_USER\Software\Antivirus\FirstRun: 0x00000000
  • HKEY_CURRENT_USER\Software\Antivirus\Root: "C:\Program Files\Antivirus 2008"
  • HKEY_CURRENT_USER\Software\Antivirus\ExeFileName: "Antvrs.exe"
  • HKEY_CURRENT_USER\Software\Antivirus\TIns
  • HKEY_CURRENT_USER\Software\Antivirus\: "AutoStart-done"
  • HKEY_CURRENT_USER\Software\Antivirus\aid: "keyin"
  • HKEY_CURRENT_USER\Software\Antivirus\affid: "keyin"
  • HKEY_CURRENT_USER\Software\Antivirus\lid: "keyin"

The following files are added:

  • %DOCSETTINGS%\Start Menu\Antivirus\Antivirus 2008.lnk
  • %DOCSETTINGS%\Start Menu\Antivirus\Uninstall Antivirus.lnk
  • %PROGRAMFILES%\Antivirus 2008\Antvrs.exe

The following folder is created:

  • %DOCSETTINGS%\Application Data\Antivirus

(where %PROGRAMFILES% is the Windows program folder e.g. C:\Program Files, %DOCSETTINGS% is the Documents and Settings folder e.g C:\Documents and Setting\username)

The following domains are accessed:

  • antivirus2008x.com
  • 72-9-10 8-82.reverse.ezz i.net.

Symptoms

Symptoms -

  • Presence of previously mentioned registry entries
  • Presence of previously mentioned files
  • Presence of unexpected network connections to previously mentioned domains

Method of Infection

Method of Infection -

Trojan do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include spam emails, IRC, P2P networks, newsgroup postings, etc.

Removal -

Removal -

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

Variants -

    N/A