Content

FakeAlert-C

Type
Trojan
SubType
Win32
Discovery Date
04/14/2006
Length
19,456 bytes (may vary)
Minimum DAT
4741 (04/14/2006)
Updated DAT
5390 (09/23/2008)
Minimum Engine
5.1.00
Description Added
04/14/2006
Description Modified
03/22/2008 8:39 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Upon execution trojan , it will download the latest version from http://www.sig{removed}down.biz/get.php

The trojan adds tray icon and displays fake alert  messages as shown below.

 

Creat the following files :

  • %WINDIR%\system32\sttwrd.dll
  • %PROGRAM FILES%\AntiVirGear 4.0\AntiVirGear 4.0.url
  • %PROGRAM FILES%\\AntiVirGear 4.0\avrg.dat
  • %PROGRAM FILES%\\AntiVirGear 4.0\blacklist.txt
  • %PROGRAM FILES%\\AntiVirGear 4.0\msvcp71.dll
  • %PROGRAM FILES%\\AntiVirGear 4.0\msvcr71.dll
  • %PROGRAM FILES%\\AntiVirGear 4.0\uninst.exe
  • %PROGRAM FILES%\\AntiVirGear 4.0\Lang\English.ini

      (Where %WINDIR% is the Windows directory, for example C:\WINDOWS)

Add the following registry keys :

  • HKEY_LOCAL_MACHINE\SOFTWARE\AntiVirGear 4.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3BC3AC5B-3BBB-9DBE-8166-EC650E3B9B48}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f0c5ef8b-f4bb-4612-9ea8-361fff3da3d5}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{018F69F6-2F09-42BF-96D9-A4A06B4E1289}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0E5910E8-89E6-4D16-8C9F-6BF3BE10E2F0}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{12290597-6751-4E07-9AF4-D2C8848C1E0B}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2A7A426E-466D-41C8-921F-320ECF856C8D}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{35ED8156-35A7-482B-B085-546A927A73AD}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{39A2B76E-6CD0-4BF8-9639-9C053F4E5E58}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3A21343D-E5F6-444F-A088-A157A8E7E9F8}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3EC1588B-797A-4059-9F54-19A443F291D0}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{47A82CB2-1C51-4558-BBEB-524AFF2E60BB}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7D605E52-8223-4AA6-8670-3308AB8941C7}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{90A53AF4-6D8F-4AC0-9D25-365F220E6F39}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CBC5CEC1-6871-4011-AF99-F1FFF6AE6715}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CC2C9870-0B1F-4807-9AD4-CF5F7BEC14C0}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DF8F1049-B40B-4AC3-8E7F-E3DA9D49E794}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E69962F0-F299-40F4-946E-7B08239AAC18}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EA263354-02FF-4D8B-B6F3-70048756891B}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{80494F71-0681-481D-B682-CC0723709AFF}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\AntiVirGear 4.0.exe 4.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiVirGear 4.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\AntiVirGear 4.0

 

Symptoms

Presence of aforementioned properties.

Method of Infection

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

It's a trojan detection that displays fake alert messages on user's system.

Aliases

  • Application/ErrorSafe (Panda)
  • not-virus:Hoax.Win32.Renos.lx (Kaspersky)

Characteristics

Characteristics -

Upon execution trojan , it will download the latest version from http://www.sig{removed}down.biz/get.php

The trojan adds tray icon and displays fake alert  messages as shown below.

 

Creat the following files :

  • %WINDIR%\system32\sttwrd.dll
  • %PROGRAM FILES%\AntiVirGear 4.0\AntiVirGear 4.0.url
  • %PROGRAM FILES%\\AntiVirGear 4.0\avrg.dat
  • %PROGRAM FILES%\\AntiVirGear 4.0\blacklist.txt
  • %PROGRAM FILES%\\AntiVirGear 4.0\msvcp71.dll
  • %PROGRAM FILES%\\AntiVirGear 4.0\msvcr71.dll
  • %PROGRAM FILES%\\AntiVirGear 4.0\uninst.exe
  • %PROGRAM FILES%\\AntiVirGear 4.0\Lang\English.ini

      (Where %WINDIR% is the Windows directory, for example C:\WINDOWS)

Add the following registry keys :

  • HKEY_LOCAL_MACHINE\SOFTWARE\AntiVirGear 4.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3BC3AC5B-3BBB-9DBE-8166-EC650E3B9B48}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f0c5ef8b-f4bb-4612-9ea8-361fff3da3d5}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{018F69F6-2F09-42BF-96D9-A4A06B4E1289}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0E5910E8-89E6-4D16-8C9F-6BF3BE10E2F0}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{12290597-6751-4E07-9AF4-D2C8848C1E0B}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2A7A426E-466D-41C8-921F-320ECF856C8D}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{35ED8156-35A7-482B-B085-546A927A73AD}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{39A2B76E-6CD0-4BF8-9639-9C053F4E5E58}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3A21343D-E5F6-444F-A088-A157A8E7E9F8}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3EC1588B-797A-4059-9F54-19A443F291D0}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{47A82CB2-1C51-4558-BBEB-524AFF2E60BB}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7D605E52-8223-4AA6-8670-3308AB8941C7}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{90A53AF4-6D8F-4AC0-9D25-365F220E6F39}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CBC5CEC1-6871-4011-AF99-F1FFF6AE6715}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CC2C9870-0B1F-4807-9AD4-CF5F7BEC14C0}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DF8F1049-B40B-4AC3-8E7F-E3DA9D49E794}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E69962F0-F299-40F4-946E-7B08239AAC18}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EA263354-02FF-4D8B-B6F3-70048756891B}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{80494F71-0681-481D-B682-CC0723709AFF}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\AntiVirGear 4.0.exe 4.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiVirGear 4.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\AntiVirGear 4.0

 

Symptoms

Symptoms -

Presence of aforementioned properties.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A