Content

FakeAlert-S.dll

Type
Trojan
SubType
Application extension
Discovery Date
09/13/2007
Length
varies
Minimum DAT
5119 (09/13/2007)
Updated DAT
5386 (09/17/2008)
Minimum Engine
5.1.00
Description Added
09/13/2007
Description Modified
09/21/2007 6:06 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This trojan Dll is usually dropped by another executable and then loaded.

Once the Dll is loaded, it displays a fake alert message on the system tray baloon about the presence of spyware programs present on the system and prompts the user to download an antispyware software.

                                          

Unlike other similar trojans which take the user to the fake antispyware product's webpage when clicked on the message, this trojan downloads and installs a fake antispyware software called "SPYLOCKED" from dl1.spylocked.com, even before the user clicks on the alert message.

The now installed software displays fake messages about spyware programs found on the system, which in reality do not exist or are dropped the software itself and then prompts the user to buy the product.

If the Spylocked antispyware software is installed, then clicking on the alert message at anytime will launch the fake antispyware software, else athe webpage of Spylocked antispyware is opened.

The trojan adds registry keys to load at system startup which may appear like the following.

  • HKEY_CLASSES_ROOT\CLSID\{596E4935-4D3B-4A3C-842D-2EFD1B3DE598}\InProcServer32 "(Default)"
    Data: path to the dll

Symptoms

Fake alert messages appearing about presence of spyware programs

Presence of the Spylocked antispyware software on the system, without the user installing it.

Method of Infection

Trojans do not self-replicate. They often arrive as a desirable or intriguing file and conceal their true nature. Common ways to receive a trojan are through newsgroup postings, IRC, peer-to-peer networks, spam, etc.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This detection is for a trojan which displays a fake alert message about the presence of spyware on the system and downloads fake Anti-spyware software.

Aliases

  • Troj/SpyLock-B (Sophos)
  • TROJ_DLOADER.IDT (Trend)
  • Trojan-Downloader.Win32.Agent.bkd (Kaspersky)
  • Win32/Hoax.Renos.NBR application (NOD32)

Characteristics

Characteristics -

This trojan Dll is usually dropped by another executable and then loaded.

Once the Dll is loaded, it displays a fake alert message on the system tray baloon about the presence of spyware programs present on the system and prompts the user to download an antispyware software.

                                          

Unlike other similar trojans which take the user to the fake antispyware product's webpage when clicked on the message, this trojan downloads and installs a fake antispyware software called "SPYLOCKED" from dl1.spylocked.com, even before the user clicks on the alert message.

The now installed software displays fake messages about spyware programs found on the system, which in reality do not exist or are dropped the software itself and then prompts the user to buy the product.

If the Spylocked antispyware software is installed, then clicking on the alert message at anytime will launch the fake antispyware software, else athe webpage of Spylocked antispyware is opened.

The trojan adds registry keys to load at system startup which may appear like the following.

  • HKEY_CLASSES_ROOT\CLSID\{596E4935-4D3B-4A3C-842D-2EFD1B3DE598}\InProcServer32 "(Default)"
    Data: path to the dll

Symptoms

Symptoms -

Fake alert messages appearing about presence of spyware programs

Presence of the Spylocked antispyware software on the system, without the user installing it.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They often arrive as a desirable or intriguing file and conceal their true nature. Common ways to receive a trojan are through newsgroup postings, IRC, peer-to-peer networks, spam, etc.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A