Content
FakeAlert-IK
- Type
- Trojan
- SubType
- Trojan
- Discovery Date
- 09/11/2009
- Length
- Varies
- Minimum DAT
- 5739 (09/12/2009)
- Updated DAT
- 5787 (10/30/2009)
- Minimum Engine
- 5.1.00
- Description Added
- 09/11/2009
- Description Modified
- 09/13/2009 11:18 PM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
-- Update September 14, 2009 -- The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/09/11/9_11_scareware/on/
--
FakeAlert-IK is a fake Antivirus product which upon installation displays no EULA and shows fake warning messages:
Symptoms
Upon execution, FakeAlert-IK prompts the user to begin downloading Personal Antivirus:
It begins downloading PAV.EXE from a domain named pencil-net[removed].com and copies it to: C:\Program Files\PersonalAV\PAV.EXE
The following registry keys are added or modified:
HKEY_CURRENT_USER\Environment "AVAPP"
Data: C:\Program Files\PersonalAV
HKEY_CURRENT_USER\Environment "AVUNINST"
Data: C:\Program Files\Common Files\Uninstall\PersonalAV\Uninstall.lnk
HKEY_LOCAL_MACHINE\SOFTWARE\772BF20DC8526CC834ED35F4D0ED1888 "bwjaxtpw"
Data: FybK;hj]:mRK?<?XML:NAMESPACE PREFIX = VZFqb /><VZFqb::nr_>!!
HKEY_LOCAL_MACHINE\SOFTWARE\772BF20DC8526CC834ED35F4D0ED1888 "bwjayrhtfxnv"
Data: G;N:AQRL:PFl:l:lCDjL@?r`W!!
HKEY_LOCAL_MACHINE\SOFTWARE\772BF20DC8526CC834ED35F4D0ED1888 "iakatevb"
Data: DuJ==D^j:]JZN!
HKEY_LOCAL_MACHINE\SOFTWARE\772BF20DC8526CC834ED35F4D0ED1888 "ilpdlitgd"
Data: AhbJBufLw!!
HKEY_LOCAL_MACHINE\SOFTWARE\772BF20DC8526CC834ED35F4D0ED1888 "iyruteadv"
Data: =NjJL!!
HKEY_LOCAL_MACHINE\SOFTWARE\772BF20DC8526CC834ED35F4D0ED1888 "leibdok"
Data: ?
HKEY_LOCAL_MACHINE\SOFTWARE\772BF20DC8526CC834ED35F4D0ED1888 "qbwji"
Data: ;yNm?fFZ>!
HKEY_LOCAL_MACHINE\SOFTWARE\772BF20DC8526CC834ED35F4D0ED1888 "qlgoldt"
Data: BiO?UwSqQs;??c?>SLcQJ^cNR
HKEY_LOCAL_MACHINE\SOFTWARE\772BF20DC8526CC834ED35F4D0ED1888 "qlgqlkw"
Data: ;@clQ=WoVTWOUp;mWC??Y=w_OXwpYm?aUE_aUgWYg!!
HKEY_LOCAL_MACHINE\SOFTWARE\772BF20DC8526CC834ED35F4D0ED1888 "qlgtsfgcpxgv"
Data: DHkpSrWOSuOQS>OYV!!
HKEY_LOCAL_MACHINE\SOFTWARE\772BF20DC8526CC834ED35F4D0ED1888 "qlgwpi"
Data: G:^\>:v]Cevl=
HKEY_LOCAL_MACHINE\SOFTWARE\772BF20DC8526CC834ED35F4D0ED1888 "veizecjw"
Data: FNB=N!!
HKEY_LOCAL_MACHINE\SOFTWARE\772BF20DC8526CC834ED35F4D0ED1888 "yjjalcawqjy"
Data: >a><>Zr=>mr]Dt:k:qJj>g^H;!!
HKEY_LOCAL_MACHINE\SOFTWARE\772BF20DC8526CC834ED35F4D0ED1888 "yjwgtctb"
Data: (data too large: 6862 bytes)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "PersonalAV"
Data: C:\Program Files\PersonalAV\PAV.exe
The following files are added:
c:\Documents and Settings\All Users\Start Menu\PersonalAV\Personal Antivirus.lnk
Size: 675 bytes
c:\Documents and Settings\All Users\Start Menu\PersonalAV\Uninstall.lnk
Size: 711 bytes
c:\Program Files\Common Files\Uninstall\PersonalAV\Uninstall.lnk
Size: 683 bytes
c:\Program Files\PersonalAV\PAV.exe
Size: 1,323,008 bytes
Method of Infection
Trojan do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include spam emails, IRC, P2P networks, newsgroup postings, etc.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
-- Update September 14, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/09/11/9_11_scareware/on/
--
FakeAlert-IK once installed on a system will generate fake messages of infection. It encourages the user to purchase a registered copy of their product in order to clean infections. Unsuspecting users may get enticed by the use of such scare tactics.
Characteristics
Characteristics -
-- Update September 14, 2009 -- The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/09/11/9_11_scareware/on/
--
FakeAlert-IK is a fake Antivirus product which upon installation displays no EULA and shows fake warning messages:
Symptoms
Symptoms -
Upon execution, FakeAlert-IK prompts the user to begin downloading Personal Antivirus:
It begins downloading PAV.EXE from a domain named pencil-net[removed].com and copies it to: C:\Program Files\PersonalAV\PAV.EXE
The following registry keys are added or modified:
HKEY_CURRENT_USER\Environment "AVAPP"
Data: C:\Program Files\PersonalAV
HKEY_CURRENT_USER\Environment "AVUNINST"
Data: C:\Program Files\Common Files\Uninstall\PersonalAV\Uninstall.lnk
HKEY_LOCAL_MACHINE\SOFTWARE\772BF20DC8526CC834ED35F4D0ED1888 "bwjaxtpw"
Data: FybK;hj]:mRK?<?XML:NAMESPACE PREFIX = VZFqb /><VZFqb::nr_>!!
HKEY_LOCAL_MACHINE\SOFTWARE\772BF20DC8526CC834ED35F4D0ED1888 "bwjayrhtfxnv"
Data: G;N:AQRL:PFl:l:lCDjL@?r`W!!
HKEY_LOCAL_MACHINE\SOFTWARE\772BF20DC8526CC834ED35F4D0ED1888 "iakatevb"
Data: DuJ==D^j:]JZN!
HKEY_LOCAL_MACHINE\SOFTWARE\772BF20DC8526CC834ED35F4D0ED1888 "ilpdlitgd"
Data: AhbJBufLw!!
HKEY_LOCAL_MACHINE\SOFTWARE\772BF20DC8526CC834ED35F4D0ED1888 "iyruteadv"
Data: =NjJL!!
HKEY_LOCAL_MACHINE\SOFTWARE\772BF20DC8526CC834ED35F4D0ED1888 "leibdok"
Data: ?
HKEY_LOCAL_MACHINE\SOFTWARE\772BF20DC8526CC834ED35F4D0ED1888 "qbwji"
Data: ;yNm?fFZ>!
HKEY_LOCAL_MACHINE\SOFTWARE\772BF20DC8526CC834ED35F4D0ED1888 "qlgoldt"
Data: BiO?UwSqQs;??c?>SLcQJ^cNR
HKEY_LOCAL_MACHINE\SOFTWARE\772BF20DC8526CC834ED35F4D0ED1888 "qlgqlkw"
Data: ;@clQ=WoVTWOUp;mWC??Y=w_OXwpYm?aUE_aUgWYg!!
HKEY_LOCAL_MACHINE\SOFTWARE\772BF20DC8526CC834ED35F4D0ED1888 "qlgtsfgcpxgv"
Data: DHkpSrWOSuOQS>OYV!!
HKEY_LOCAL_MACHINE\SOFTWARE\772BF20DC8526CC834ED35F4D0ED1888 "qlgwpi"
Data: G:^\>:v]Cevl=
HKEY_LOCAL_MACHINE\SOFTWARE\772BF20DC8526CC834ED35F4D0ED1888 "veizecjw"
Data: FNB=N!!
HKEY_LOCAL_MACHINE\SOFTWARE\772BF20DC8526CC834ED35F4D0ED1888 "yjjalcawqjy"
Data: >a><>Zr=>mr]Dt:k:qJj>g^H;!!
HKEY_LOCAL_MACHINE\SOFTWARE\772BF20DC8526CC834ED35F4D0ED1888 "yjwgtctb"
Data: (data too large: 6862 bytes)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "PersonalAV"
Data: C:\Program Files\PersonalAV\PAV.exe
The following files are added:
c:\Documents and Settings\All Users\Start Menu\PersonalAV\Personal Antivirus.lnk
Size: 675 bytes
c:\Documents and Settings\All Users\Start Menu\PersonalAV\Uninstall.lnk
Size: 711 bytes
c:\Program Files\Common Files\Uninstall\PersonalAV\Uninstall.lnk
Size: 683 bytes
c:\Program Files\PersonalAV\PAV.exe
Size: 1,323,008 bytes
Method of Infection
Method of Infection -
Trojan do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include spam emails, IRC, P2P networks, newsgroup postings, etc.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
