Content

FakeAlert-AB

Type
Trojan
SubType
Win32
Discovery Date
01/09/2008
Length
Varies
Minimum DAT
5203 (01/09/2008)
Updated DAT
5488 (01/07/2009)
Minimum Engine
5.2.00
Description Added
01/09/2008
Description Modified
07/28/2008 4:58 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Upon execution, the trojan drops the following file.

  • %System%\scui.cpl (detected as FakeAlert-AB)

Note:
%System% is a variable location and refers to the windows system directory.

The following registry keys are created:

  • HKEY_CURRENT_USER\Software\(random hex strings)\Options"
    • AdvancedScanType" = 1
    • "AfterRegisterUrl" =  http://liveresponsesite.com/confirm.php?product=%product%&aff=%aff%&email=%email%&update=%update%&cookie_type=%cookie_type%&cookie=%cookie%
    • "BillingRegURL" =  http://liveresponsesite.com/order_xp.php?ver=%aff%
    • "BillingURL" = http://liveresponsesite.com/license.php?Email=%email%&AffiliateID=%aff%
    • "BillingURL2"  
    • "BillingUrlApproved"
    • "BillingUrlApproved2"
    • "FirstRunUrl" = http://liveresponsesite.com/firstrun.php?product=%product%&aff=%aff%&update=%update%
    • "HelpURL" = http://liveresponsesite.com/help.php
    • "LabelUrl"
    • "LastRun"
    • "LastScan"
    • "Scans"  = 1
    • "SecurityVector"
    • "TermsUrl" = http://liveresponsesite.com/terms.php
    • "TransactionKey" = (random)


The trojan shows the following fake warnings in bubble warning.

Also shows one of the following warnings:

Windows Security Center
Windows Security Center reports that 'XP antivirus' is inable. Antivirus software helps to protect
your computer against viruses and other security threats. Click Recommendations
for the suggested actions. Your system might be at a risk now.

Privacy Violation alert!
XP antivirus detected Privacy Violation. Some program is secretly sending your private data to untrusted internet host. Click here to block this activity by removing threats (Recommended).

System files modification alert!
Some critical system files of your computer were modified by malicious program. It may cause system instability and data loss. Click here to block unathorised modification by removing threats (Recommended).

Internal conflict alert!
XP antivirus detected internal software conflict. Some application tries to get access to system kernel (such behavior is typical to Spyware/Malware). It may cause crash of your computer. Click here to prevent system crash by removing threats (Recommended).

Spyware activity alert!
Spyware.IEMonster activity detected. It is spyware that attempts to steal passwords from Internet Explorer, Mozilla Firefox, Outlook and other programs, including logins and passwords from online banking sessions, eBay, PayPal. It may also create special tracking files to log your activity and compromise your Internet privacy. It's strongly recommended to remove this threat as soon as possible. Click here to remove Spyware.IEMonster.


Then it launches the XP Antiviurs to show fake malware scan reports.


It pops up the following registration pane to let users to type in e-mail address for purchase.


Symptoms

  • Presence of the mentioned files and registry keys.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a detection for a trojan that displays misleading fake alerts to entice the user into buying a product to "repair" malware problems.

Aliases

  • Adware/Xpantivirus2008 (Panda)
  • Program:Win32/XPAntiVirus (Microsoft)
  • Troj/FakeAv-V (Sophos)
  • TROJ_FAKEALRT.BK (Trend Micro)
  • Trojan-Downloader.Win32.FraudLoad.gen (Kaspersky)
  • Trojan.Fakeavalert (Symantec)

Characteristics

Characteristics -

Upon execution, the trojan drops the following file.

  • %System%\scui.cpl (detected as FakeAlert-AB)

Note:
%System% is a variable location and refers to the windows system directory.

The following registry keys are created:

  • HKEY_CURRENT_USER\Software\(random hex strings)\Options"
    • AdvancedScanType" = 1
    • "AfterRegisterUrl" =  http://liveresponsesite.com/confirm.php?product=%product%&aff=%aff%&email=%email%&update=%update%&cookie_type=%cookie_type%&cookie=%cookie%
    • "BillingRegURL" =  http://liveresponsesite.com/order_xp.php?ver=%aff%
    • "BillingURL" = http://liveresponsesite.com/license.php?Email=%email%&AffiliateID=%aff%
    • "BillingURL2"  
    • "BillingUrlApproved"
    • "BillingUrlApproved2"
    • "FirstRunUrl" = http://liveresponsesite.com/firstrun.php?product=%product%&aff=%aff%&update=%update%
    • "HelpURL" = http://liveresponsesite.com/help.php
    • "LabelUrl"
    • "LastRun"
    • "LastScan"
    • "Scans"  = 1
    • "SecurityVector"
    • "TermsUrl" = http://liveresponsesite.com/terms.php
    • "TransactionKey" = (random)


The trojan shows the following fake warnings in bubble warning.

Also shows one of the following warnings:

Windows Security Center
Windows Security Center reports that 'XP antivirus' is inable. Antivirus software helps to protect
your computer against viruses and other security threats. Click Recommendations
for the suggested actions. Your system might be at a risk now.

Privacy Violation alert!
XP antivirus detected Privacy Violation. Some program is secretly sending your private data to untrusted internet host. Click here to block this activity by removing threats (Recommended).

System files modification alert!
Some critical system files of your computer were modified by malicious program. It may cause system instability and data loss. Click here to block unathorised modification by removing threats (Recommended).

Internal conflict alert!
XP antivirus detected internal software conflict. Some application tries to get access to system kernel (such behavior is typical to Spyware/Malware). It may cause crash of your computer. Click here to prevent system crash by removing threats (Recommended).

Spyware activity alert!
Spyware.IEMonster activity detected. It is spyware that attempts to steal passwords from Internet Explorer, Mozilla Firefox, Outlook and other programs, including logins and passwords from online banking sessions, eBay, PayPal. It may also create special tracking files to log your activity and compromise your Internet privacy. It's strongly recommended to remove this threat as soon as possible. Click here to remove Spyware.IEMonster.


Then it launches the XP Antiviurs to show fake malware scan reports.


It pops up the following registration pane to let users to type in e-mail address for purchase.


Symptoms

Symptoms -

  • Presence of the mentioned files and registry keys.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A