Content

FakeAlert-D!56c05f7f

Type
Trojan
SubType
Win32
Discovery Date
07/30/2007
Length
18,432 bytes
Minimum DAT
5087 (07/31/2007)
Updated DAT
5087 (07/31/2007)
Minimum Engine
5.1.00
Description Added
07/30/2007
Description Modified
07/30/2007 9:25 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Upon executation, it installs itself at:

  • %Windir%\System32\WinAvX.exe

(Where %Windir% is the Windows folder; e.g. C:\Windows)

The trojan displays a popup dialog with a message like the one shown in the picture below.

It also installs a taskbar icon that displays a bogus warning message as below:

Upon clicking the fake warning message the browser will be redirected to http://{blocked}.winantivirus.com or http://freere{blocked}tympegs.com/movie/{random}/{random}/{random}/, directing the users to download an antispyware product "WinAntiVirus Pro" which can be detected as potentially unwanted program WinFixer.

In addition, this trojan attempts to terminates security product -related processes from a hardcoded list of filenames and Window names:

SAVScan
Ahnlab task Scheduler
alerter
AlertManger
AVExch32Service
avg7alrt
avg7updsvc
AvgCore
AvgFsh
AvgServ
AVPCC
AVUPDService
AvxIni
awhost32
backWeb
BlackICE
CAISafe
ccEvtMgr
ccPwdSvc
ccSetMgr
DefWatch
dvpapi
dvpinit
arter
F-Secure Gatekeeper Handler Starter
fsbwsys
FSDFWD
fsdfwd
FSMA
KAVMonitorService
kavsvc
KLBLMain
McAfee Firewall
McAfeeFramework
McShield
McTaskManager
mcupdmgr.exe
MCVSRte
MonSvcNT
navapsvc
Network Associates Log Service
NISSERV
NISUM
NOD32ControlCenter
NOD32Service
Norman NJeeves
Norman ZANDA
Norton Antivirus Server
NPFMntor
NProtectService
NSCTOP
nvcoas
NVCScheduler
nwclntc
nwclntd
nwclnte
nwclntf
nwclntg
nwclnth
NWService
Outbreak Manager
Outpost Firewall
OutpostFirewall
PASSRV
PAVFNSVR
Pavkre
PavProt
PavPrSrv
PAVSRV
PCCPFW
PersFW
PREVSRV
PSIMSVC
ravmon8

SAVFMSE
SBService
schscnt
sharedaccess
SharedAccess
SmcService
SNDSrvc
SPBBCSvc
SweepNet
SWEEPSRV.SYS
Symantec AntiVirus Client
Symantec Core LC
Tmntsrv
V3MonNT
V3MonSvc
VexiraAntivirus
VisNetic AntiVirus Plug-in
vsmon
XCOMM
PROCMON.EXE
PROCEXP.EXE
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
ACKWIN32.EXE
ANTI-TROJAN.EXE
APVXDWIN.EXE
AUTODOWN.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCTRL.EXE
AVKSERV.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPMON.EXE
AVPNT.EXE
AVPTC32.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVWIN95.EXE
AVWUPD32.EXE
BLACKD.EXE
BLACKICE.EXE
CCSETMGR.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFIND.EXE
CLAW95.EXE
CLAW95CT.EXE
CLEANER.EXE
CLEANER3.EXE
DV95.EXE
DV95_O.EXE
DVP95.EXE
ECENGINE.EXE
EFINET32.EXE
ESAFE.EXE
ESPWATCH.EXE
F-AGNT95.EXE
FINDVIRU.EXE
FPROT.EXE
F-PROT.EXE
F-PROT95.EXE
FP-WIN.EXE
FRW.EXE
F-STOPW.EXE
IAMAPP.EXE
IAMSERV.EXE
IBMASN.EXE
IBMAVSP.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMOON.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
IFACE.EXE
IOMON98.EXE
JED.EXE
KPF.EXE
KPFW32.EXE

LOCKDOWN2000.EXE
LOOKOUT.EXE
LUALL.EXE
MOOLIVE.EXE
MPFTRAY.EXE
N32SCAN.EXE
NAVAPW32.EXE
NAVLU32.EXE
NAVNT.EXE
NAVSCHED.EXE
NAVW.EXE
NAVW32.EXE
NAVWNT.EXE
NISUM.EXE
NMAIN.EXE
NORMIST.EXE
NUPGRADE.EXE
NVC95.EXE
OUTPOST.EXE
PADMIN.EXE
PAVCL.EXE
PCCWIN98.EXE
PCFWALLICON.EXE
PERSFW.EXE
RAV7.EXE
RAV7WIN.EXE
RESCUE.EXE
SAFEWEB.EXE
SCAN32.EXE
SCAN95.EXE
SCANPM.EXE
SCRSCAN.EXE
SERV95.EXE
SMC.EXE
SPHINX.EXE
SWEEP95.EXE
TBSCAN.EXE
TCA.EXE
TDS2-98.EXE
TDS2-NT.EXE
VET95.EXE
VETTRAY.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSSCAN40.EXE
VSSTAT.EXE
WEBSCAN.EXE
WEBSCANX.EXE
WFINDV32.EXE
ZONEALARM.EXE

 

It will also overwrite the system hosts located at %Windir%\System32\drivers\etc\hosts to direct the following known domain names to a local IP address in an attempt to block security updates. The list contains several known advertising-related sites.

www3.ca.com
www.virustotal.com
www.viruslist.ru
www.viruslist.com
www.trendmicro.com
www.symantec.com
www.symantec.com
www.sophos.com
www.pandasoftware.com
www.networkassociates.com
www.nai.com
www.my-etrust.com
www.microsoft.com
www.mcafee.com
www.kaspersky.ru
www.kaspersky.com
www.kaspersky-labs.com
www.grisoft.com
www.fastclick.net
www.f-secure.com
www.ca.com
www.awaps.net
www.avp.ru
www.avp.com
www.avp.ch
windowsupdate.microsoft.com
virustotal.com
virusscan.jotti.org
viruslist.ru
viruslist.com
vil.nai.com
us.mcafee.com
updates5.kaspersky-labs.com
updates4.kaspersky-labs.com
updates3.kaspersky-labs.com
updates2.kaspersky-labs.com
updates1.kaspersky-labs.com
updates.symantec.com
update.symantec.com
trendmicro.com
symantec.com
support.microsoft.com
spd.atdmt.com
sophos.com
service1.symantec.com
securityresponse.symantec.com
secure.nai.com
rads.mcafee.com
phx.corporate-ir.net
pandasoftware.com
office.microsoft.com
norton.com
networkassociates.com
nai.com
my-etrust.com
msdn.microsoft.com
microsoft.com
media.fastclick.net
mcafee.com
mast.mcafee.com
liveupdate.symantecliveupdate.com
liveupdate.symantec.com
kaspersky.com
kaspersky-labs.com
ids.kaspersky-labs.com
go.microsoft.com
ftp.sophos.com
ftp.kasperskylab.ru
ftp.f-secure.com
ftp.downloads3.kaspersky-labs.com
ftp.downloads2.kaspersky-labs.com
ftp.downloads1.kaspersky-labs.com
ftp.avp.ch
fastclick.net
f-secure.com
engine.awaps.net
downloads4.kaspersky-labs.com
downloads3.kaspersky-labs.com
downloads2.kaspersky-labs.com
downloads1.kaspersky-labs.com
downloads.microsoft.com
downloads-us3.kaspersky-labs.com
downloads-us2.kaspersky-labs.com
downloads-us1.kaspersky-labs.com
download.microsoft.com
download.mcafee.com
dispatch.mcafee.com
customer.symantec.com
clicks.atdmt.com
click.atdmt.com
ca.com
banners.fastclick.net
banner.fastclick.net
awaps.net
avp.ru
avp.com
avp.ch
atdmt.com
ar.atwola.com
ads.fastclick.net
ad.fastclick.net
ad.doubleclick.net

The modified hosts file can be detected as QHosts-54 trojan.

Symptoms

  • Display of the popup alert dialogs mentioned.
  • Presence of the mentioned file(s).
  • Modification of the hosts file as mentioned.
  • Modifies the default start and search page to:
    • www.google.com/ie
  • Creation of the following registry key(s) to hook startup:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"WinAVX" = "%Windir%\System32\WinAvX.exe"
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"WinAVX" = "%Windir%\System32\WinAvX.exe"
  • Creation of the following registry key(s) to modifiy system configuration:
    • HKEY_CURRENT_USER\\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel =  0x00000001
    • HKEY_CURRENT_USER\\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWindowsUpdate = 0x00000001

 

Method of Infection

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Removal

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

Similar to other malwares of this family, FakeAlert-D shows a fake warning message, alarming the user that their machine is infected or at risk. The intention behind all the fake messages is drive users to download the advertised antispyware product.

 

Characteristics

Characteristics -

Upon executation, it installs itself at:

  • %Windir%\System32\WinAvX.exe

(Where %Windir% is the Windows folder; e.g. C:\Windows)

The trojan displays a popup dialog with a message like the one shown in the picture below.

It also installs a taskbar icon that displays a bogus warning message as below:

Upon clicking the fake warning message the browser will be redirected to http://{blocked}.winantivirus.com or http://freere{blocked}tympegs.com/movie/{random}/{random}/{random}/, directing the users to download an antispyware product "WinAntiVirus Pro" which can be detected as potentially unwanted program WinFixer.

In addition, this trojan attempts to terminates security product -related processes from a hardcoded list of filenames and Window names:

SAVScan
Ahnlab task Scheduler
alerter
AlertManger
AVExch32Service
avg7alrt
avg7updsvc
AvgCore
AvgFsh
AvgServ
AVPCC
AVUPDService
AvxIni
awhost32
backWeb
BlackICE
CAISafe
ccEvtMgr
ccPwdSvc
ccSetMgr
DefWatch
dvpapi
dvpinit
arter
F-Secure Gatekeeper Handler Starter
fsbwsys
FSDFWD
fsdfwd
FSMA
KAVMonitorService
kavsvc
KLBLMain
McAfee Firewall
McAfeeFramework
McShield
McTaskManager
mcupdmgr.exe
MCVSRte
MonSvcNT
navapsvc
Network Associates Log Service
NISSERV
NISUM
NOD32ControlCenter
NOD32Service
Norman NJeeves
Norman ZANDA
Norton Antivirus Server
NPFMntor
NProtectService
NSCTOP
nvcoas
NVCScheduler
nwclntc
nwclntd
nwclnte
nwclntf
nwclntg
nwclnth
NWService
Outbreak Manager
Outpost Firewall
OutpostFirewall
PASSRV
PAVFNSVR
Pavkre
PavProt
PavPrSrv
PAVSRV
PCCPFW
PersFW
PREVSRV
PSIMSVC
ravmon8

SAVFMSE
SBService
schscnt
sharedaccess
SharedAccess
SmcService
SNDSrvc
SPBBCSvc
SweepNet
SWEEPSRV.SYS
Symantec AntiVirus Client
Symantec Core LC
Tmntsrv
V3MonNT
V3MonSvc
VexiraAntivirus
VisNetic AntiVirus Plug-in
vsmon
XCOMM
PROCMON.EXE
PROCEXP.EXE
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
ACKWIN32.EXE
ANTI-TROJAN.EXE
APVXDWIN.EXE
AUTODOWN.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCTRL.EXE
AVKSERV.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPMON.EXE
AVPNT.EXE
AVPTC32.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVWIN95.EXE
AVWUPD32.EXE
BLACKD.EXE
BLACKICE.EXE
CCSETMGR.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFIND.EXE
CLAW95.EXE
CLAW95CT.EXE
CLEANER.EXE
CLEANER3.EXE
DV95.EXE
DV95_O.EXE
DVP95.EXE
ECENGINE.EXE
EFINET32.EXE
ESAFE.EXE
ESPWATCH.EXE
F-AGNT95.EXE
FINDVIRU.EXE
FPROT.EXE
F-PROT.EXE
F-PROT95.EXE
FP-WIN.EXE
FRW.EXE
F-STOPW.EXE
IAMAPP.EXE
IAMSERV.EXE
IBMASN.EXE
IBMAVSP.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMOON.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
IFACE.EXE
IOMON98.EXE
JED.EXE
KPF.EXE
KPFW32.EXE

LOCKDOWN2000.EXE
LOOKOUT.EXE
LUALL.EXE
MOOLIVE.EXE
MPFTRAY.EXE
N32SCAN.EXE
NAVAPW32.EXE
NAVLU32.EXE
NAVNT.EXE
NAVSCHED.EXE
NAVW.EXE
NAVW32.EXE
NAVWNT.EXE
NISUM.EXE
NMAIN.EXE
NORMIST.EXE
NUPGRADE.EXE
NVC95.EXE
OUTPOST.EXE
PADMIN.EXE
PAVCL.EXE
PCCWIN98.EXE
PCFWALLICON.EXE
PERSFW.EXE
RAV7.EXE
RAV7WIN.EXE
RESCUE.EXE
SAFEWEB.EXE
SCAN32.EXE
SCAN95.EXE
SCANPM.EXE
SCRSCAN.EXE
SERV95.EXE
SMC.EXE
SPHINX.EXE
SWEEP95.EXE
TBSCAN.EXE
TCA.EXE
TDS2-98.EXE
TDS2-NT.EXE
VET95.EXE
VETTRAY.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSSCAN40.EXE
VSSTAT.EXE
WEBSCAN.EXE
WEBSCANX.EXE
WFINDV32.EXE
ZONEALARM.EXE

 

It will also overwrite the system hosts located at %Windir%\System32\drivers\etc\hosts to direct the following known domain names to a local IP address in an attempt to block security updates. The list contains several known advertising-related sites.

www3.ca.com
www.virustotal.com
www.viruslist.ru
www.viruslist.com
www.trendmicro.com
www.symantec.com
www.symantec.com
www.sophos.com
www.pandasoftware.com
www.networkassociates.com
www.nai.com
www.my-etrust.com
www.microsoft.com
www.mcafee.com
www.kaspersky.ru
www.kaspersky.com
www.kaspersky-labs.com
www.grisoft.com
www.fastclick.net
www.f-secure.com
www.ca.com
www.awaps.net
www.avp.ru
www.avp.com
www.avp.ch
windowsupdate.microsoft.com
virustotal.com
virusscan.jotti.org
viruslist.ru
viruslist.com
vil.nai.com
us.mcafee.com
updates5.kaspersky-labs.com
updates4.kaspersky-labs.com
updates3.kaspersky-labs.com
updates2.kaspersky-labs.com
updates1.kaspersky-labs.com
updates.symantec.com
update.symantec.com
trendmicro.com
symantec.com
support.microsoft.com
spd.atdmt.com
sophos.com
service1.symantec.com
securityresponse.symantec.com
secure.nai.com
rads.mcafee.com
phx.corporate-ir.net
pandasoftware.com
office.microsoft.com
norton.com
networkassociates.com
nai.com
my-etrust.com
msdn.microsoft.com
microsoft.com
media.fastclick.net
mcafee.com
mast.mcafee.com
liveupdate.symantecliveupdate.com
liveupdate.symantec.com
kaspersky.com
kaspersky-labs.com
ids.kaspersky-labs.com
go.microsoft.com
ftp.sophos.com
ftp.kasperskylab.ru
ftp.f-secure.com
ftp.downloads3.kaspersky-labs.com
ftp.downloads2.kaspersky-labs.com
ftp.downloads1.kaspersky-labs.com
ftp.avp.ch
fastclick.net
f-secure.com
engine.awaps.net
downloads4.kaspersky-labs.com
downloads3.kaspersky-labs.com
downloads2.kaspersky-labs.com
downloads1.kaspersky-labs.com
downloads.microsoft.com
downloads-us3.kaspersky-labs.com
downloads-us2.kaspersky-labs.com
downloads-us1.kaspersky-labs.com
download.microsoft.com
download.mcafee.com
dispatch.mcafee.com
customer.symantec.com
clicks.atdmt.com
click.atdmt.com
ca.com
banners.fastclick.net
banner.fastclick.net
awaps.net
avp.ru
avp.com
avp.ch
atdmt.com
ar.atwola.com
ads.fastclick.net
ad.fastclick.net
ad.doubleclick.net

The modified hosts file can be detected as QHosts-54 trojan.

Symptoms

Symptoms -

  • Display of the popup alert dialogs mentioned.
  • Presence of the mentioned file(s).
  • Modification of the hosts file as mentioned.
  • Modifies the default start and search page to:
    • www.google.com/ie
  • Creation of the following registry key(s) to hook startup:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"WinAVX" = "%Windir%\System32\WinAvX.exe"
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"WinAVX" = "%Windir%\System32\WinAvX.exe"
  • Creation of the following registry key(s) to modifiy system configuration:
    • HKEY_CURRENT_USER\\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel =  0x00000001
    • HKEY_CURRENT_USER\\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWindowsUpdate = 0x00000001

 

Method of Infection

Method of Infection -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A