McAfee > Theat Center > Virus Detail Page

Overview

Characteristics

This trojan is composed of many components, all detected as FakeAlert-R(.dll) trojans:

• %Temp%\frmwrk.exe: main part. This one downloads the other components.
• %Sysdir%\bho.dll: installed as a BHO and detected as FakeAlert-R.dll
• %Sysdir%\center1.exe
• %Sysdir%\center2.exe
• %Sysdir%\center.exe
• %Sysdir%\win321.exe
• %Sysdir%\win32.exe

Upon execution the trojan shows a popup balloon with a display message like the one shown in the picture below:

Then the other files are downloaded from downloadfilesldr.com and www.spywaresoftstop.com.

A few seconds later, the desktop wallpaper is replaced by a black one with a red rectangle at the bottom right, displaying the following fake message:

And the following windows will regularly pop up:

• A fake Dr Watson message:

• A fake Windows Security Center warning refering to the Trojan.Spambot.PBFRV2:

Moreover the following HTML page may appear when starting Internet Explorer:

All messages try to lure the user into clicking on a link that delivers the advertised antispyware product.

Symptoms

• Fake system alerts warning of active malicious program as mentioned in the Characteristics section.
• Presence of aforementioned files.

Method of Infection

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

Similar to other malwares of this family, FakeAlert-R shows a fake warning message, alarming the users that their machine is infected or at risk. The intention behind all the fake messages is drive users to download the advertised antispyware product.

Characteristics

Characteristics -

This trojan is composed of many components, all detected as FakeAlert-R(.dll) trojans:

• %Temp%\frmwrk.exe: main part. This one downloads the other components.
• %Sysdir%\bho.dll: installed as a BHO and detected as FakeAlert-R.dll
• %Sysdir%\center1.exe
• %Sysdir%\center2.exe
• %Sysdir%\center.exe
• %Sysdir%\win321.exe
• %Sysdir%\win32.exe

Upon execution the trojan shows a popup balloon with a display message like the one shown in the picture below:

Then the other files are downloaded from downloadfilesldr.com and www.spywaresoftstop.com.

A few seconds later, the desktop wallpaper is replaced by a black one with a red rectangle at the bottom right, displaying the following fake message:

And the following windows will regularly pop up:

• A fake Dr Watson message:

• A fake Windows Security Center warning refering to the Trojan.Spambot.PBFRV2:

Moreover the following HTML page may appear when starting Internet Explorer:

All messages try to lure the user into clicking on a link that delivers the advertised antispyware product.

Symptoms

Symptoms -

• Fake system alerts warning of active malicious program as mentioned in the Characteristics section.
• Presence of aforementioned files.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A