Content

FakeAlert-T

Type
Trojan
SubType
Win32
Discovery Date
10/10/2007
Length
28167 bytes
Minimum DAT
5138 (10/10/2007)
Updated DAT
5160 (11/09/2007)
Minimum Engine
5.1.00
Description Added
10/10/2007
Description Modified
10/10/2007 11:58 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Similar to other malwares of this family, FakeAlert-T shows a fake warning message, alarming the user that their machine is infected or at risk. The intention behind all the fake messages is to drive users to download the advertised antispyware product.

When setup.exe (28167 bytes) is run on the victim machine, the trojan copies itself to the following location. 

  • %WINDIR%\system32\nusrmgr.exe (134,663 bytes)

The following files are also downloaded.

  •  %WINDIR%\system32\din.ip (non-malicious) (15 bytes)
  •  %WINDIR%\system32\navwanvd.ini (non-malicious) (4 bytes)
  •  %WINDIR%\system32\drivers\detect.htm (hijacked start page of IE) (12,478 bytes)
  •  %WINDIR%\system32\drivers\s_detect.htm  (part of hijacked start page of IE) (5,418 bytes)
  •  %WINDIR%\system32\drivers\pt.htm (part of hijacked start page of IE) (49,014 bytes)


Either one of the following registry keys are added which loads the trojan at every startup.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}
    "StubPath" = "%WINDIR\system32\nusrmgr.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}
    "StubPath" = "%WINDIR\system32\nusrmgr.exe"

One of the following can be displayed as a fake alert message.

  • Your computer is infected.
    Windows has detected spyware infection! It is recommended to use special antispyware tools to prevent data loss. Windows will now download and install the most up-to-date antispyware for you. Click here to protect your computer from spyware!
  • Warning:
    Your computer is infected with spyware! How to help protect your computer and remove spyware...Click here for more information.&
    Your Security and Privacy are at risk.
  • Spyware has been detected on your computer.Click here to run a FULL SYSTEM SCAN to protect your data...
  • Your computer is working slowly!
    Slow operation speed might have been caused by malicious spyware. Download antispyware software and run full system scan to remove all viruses and spyware from your computer. Click here to start downloading...!
  • Internet attack attempt detected.
    Somebody's trying to infect your PC with spyware or harmful viruses. Run full system scan now to protect your computer from Internet attacks, hijacking attempts and spyware. Click here for the list of available security updates...
  • Your computer is not protected against spyware!
    Spyware able to steal your data including passwords, credit card numbers, etc. Scan your computer for spyware immediately! System scan is highly recommended!-
  • Alert: A minimum of 12 spyware entries found.
    To remove all spyware and viruses click here to visit Security Center web site and download spyware remover.!
  • Possible spyware infection has been detected on your computer by Windows Security Center.
    Windows Security Center system warning
    Click here to visit Windows Security Center web site...
    To remove detected threat you need to update Windows antispyware protection.


Upon clicking the fake warning message the browser will be redirected to http://pcsecuritylab.com, directing the users to download a rogue antispyware product "AntiSpyStorm".

The trojan also connects to http://liveupdatesnet.com to download additional malware.

Symptoms

  • Existence of the Registry keys described above
  • Outgoing HTTP traffic to the domains http://liveupdatesnet.com and http://pcsecuritylab.com

Note: As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered - possibly with every user infection.

Method of Infection

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

Similar to other malwares of this family, FakeAlert-T shows a fake warning message, alarming the user that their machine is infected or at risk. The intention behind all the fake messages is to drive users to download the advertised antispyware product.

Aliases

  • Trojan-Downloader.Win32.VB.bjr (Kaspersky)

Characteristics

Characteristics -

Similar to other malwares of this family, FakeAlert-T shows a fake warning message, alarming the user that their machine is infected or at risk. The intention behind all the fake messages is to drive users to download the advertised antispyware product.

When setup.exe (28167 bytes) is run on the victim machine, the trojan copies itself to the following location. 

  • %WINDIR%\system32\nusrmgr.exe (134,663 bytes)

The following files are also downloaded.

  •  %WINDIR%\system32\din.ip (non-malicious) (15 bytes)
  •  %WINDIR%\system32\navwanvd.ini (non-malicious) (4 bytes)
  •  %WINDIR%\system32\drivers\detect.htm (hijacked start page of IE) (12,478 bytes)
  •  %WINDIR%\system32\drivers\s_detect.htm  (part of hijacked start page of IE) (5,418 bytes)
  •  %WINDIR%\system32\drivers\pt.htm (part of hijacked start page of IE) (49,014 bytes)


Either one of the following registry keys are added which loads the trojan at every startup.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}
    "StubPath" = "%WINDIR\system32\nusrmgr.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}
    "StubPath" = "%WINDIR\system32\nusrmgr.exe"

One of the following can be displayed as a fake alert message.

  • Your computer is infected.
    Windows has detected spyware infection! It is recommended to use special antispyware tools to prevent data loss. Windows will now download and install the most up-to-date antispyware for you. Click here to protect your computer from spyware!
  • Warning:
    Your computer is infected with spyware! How to help protect your computer and remove spyware...Click here for more information.&
    Your Security and Privacy are at risk.
  • Spyware has been detected on your computer.Click here to run a FULL SYSTEM SCAN to protect your data...
  • Your computer is working slowly!
    Slow operation speed might have been caused by malicious spyware. Download antispyware software and run full system scan to remove all viruses and spyware from your computer. Click here to start downloading...!
  • Internet attack attempt detected.
    Somebody's trying to infect your PC with spyware or harmful viruses. Run full system scan now to protect your computer from Internet attacks, hijacking attempts and spyware. Click here for the list of available security updates...
  • Your computer is not protected against spyware!
    Spyware able to steal your data including passwords, credit card numbers, etc. Scan your computer for spyware immediately! System scan is highly recommended!-
  • Alert: A minimum of 12 spyware entries found.
    To remove all spyware and viruses click here to visit Security Center web site and download spyware remover.!
  • Possible spyware infection has been detected on your computer by Windows Security Center.
    Windows Security Center system warning
    Click here to visit Windows Security Center web site...
    To remove detected threat you need to update Windows antispyware protection.


Upon clicking the fake warning message the browser will be redirected to http://pcsecuritylab.com, directing the users to download a rogue antispyware product "AntiSpyStorm".

The trojan also connects to http://liveupdatesnet.com to download additional malware.

Symptoms

Symptoms -

  • Existence of the Registry keys described above
  • Outgoing HTTP traffic to the domains http://liveupdatesnet.com and http://pcsecuritylab.com

Note: As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered - possibly with every user infection.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A