Content

FakeAlert-AntiVirusPro

Type
Trojan
SubType
Win32
Discovery Date
03/25/2008
Length
Varies
Minimum DAT
5259 (03/25/2008)
Updated DAT
6545 (11/29/2011)
Minimum Engine
5.3.00
Description Added
03/25/2008
Description Modified
06/15/2011 4:29 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

---- Updated June 16, 2010 ---

File Information –

    • MD5 - 7d7e604d52badfd5db140b71612292b4
    • SHA1 - d2eaaa3b735216c0c98ffdcaac10cae00031e86d

Aliases –

    • Avp - Trojan.Win32.FraudPack.cmpg
    • f-secure - MemScan:Trojan.Generic.5709906
    • msmp - ~VirTool:Win32/Obfuscator.XX
    • nav - VirusDoctor!gen1

Upon execution, the Trojan drops files into the following location

    • %Temp%\[random name].exe
    • %Temp%\del.bat

The Trojan connects to the following malicious sites:

    • tdncgo[removed].com
    • trdata[removed].com
    • fra[removed].net
    • websec[removed].com

After a while, the Trojan starts to show fake messages saying the system is infected with numerous viruses. The main window can have many names, including:

    • secure-guard.com
    • smart-security.net
    • security-guard.com
    • guard-smart.net
    • guard-shield.net
    • smart-protection.com
    • security-server.com
    • protection-smart.net

The Trojan searches for the following antivirus processes and other security related processes, if it found the Trojan tries to kill these applications.

    • msseces.exe
    • MSASCui.exe
    • ekrn.exe
    • egui.exe
    • avgnt.exe
    • avcenter.exe
    • avscan.exe
    • avgfrw.exe
    • avgui.exe
    • avgtray.exe
    • avgscanx.exe
    • avgcfgex.exe
    • avgemc.exe
    • avgchsvx.exe
    • avgcmgr.exe
    • avgwdsvc.exe winss.exe
    • WinSSUI.exe
    • OcHealthMon.exe
    • winssnotify.exe
    • MsMpEng.exe
    • msfwsvc.exe

The Trojan creates a mutex with the name "oleacc-msaa-loaded , to ensure only one instance of the Trojan is running at a time.

Note : [%Temp% - C:\Documents and Settings\[User Name]\Local Settings\Temp]]

----------

-- Update May 17, 2010 --

A new variant of this thread has been discovered recently, which shows the following characteristics:

 

On execution the malware creates the following files

  •  c:\Documents and Settings\Administrator\Local Settings\Temp\02c9c3c35bdx5.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\17dkf.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\1iowieoo.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\2010yo.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\472a10e2ebxd9.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\56493.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\8gmsed-bd.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\a75wef8e0e7.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\ae0965a7157cd.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\al3erfa3.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\aler3fa.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\alerfa.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\alerfa2.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\alerfa322.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\aqfitrlxi2.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\backd-efq.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\brdss.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\bzqa43d.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\cffd4.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\cocksucker.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\cosock.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\cunifuc.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\dc_3.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\dd10x10.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\ddhelp.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\ddoll3342.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\destroyer.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\dffuck.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\dkfjd93.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\ds7hw.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\dwl_bqz.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\eelnvd13.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\eephilpe.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\exppdf_w.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\fadz43.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\fe.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\format.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\g_dx234.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\gedx_ae09.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\gpupz2a.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\gpws_y-bbg.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\hardwh.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\hhbboll_2.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\hiphop.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\hjkgfddd.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\hodeme.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\htfad4.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\hvipws9.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\jdhellwo3.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\jkfuckjs.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\jofcdks.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\kgn.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\kilslmd.exex
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\kjdh_gf_jjdhgd.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\kjh102k3.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\kn.a.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\kock.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\ljts-23.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\lkhgg_ea.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\lols.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\lorsk.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\ploper.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\poertd.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\ppddfcfux.exxe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\pswwg3c.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\puzpup.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\qwedvor.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\qwklrvjhqlkj.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\r0life.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\rator.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\rsrtd12.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\rtfme.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\safe.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\snowif.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\sycre.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\test.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\timem.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\w32-reno-c.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\warsddd_w.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\wefgetn_00.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\wergfq.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\wined.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\winlogoff.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\wqefqw7e.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\wrcud12.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\wrfwe_di.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\wwautrsd.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\wwwsssgen.exe

The following registry entries were created by the malware

  • HKEY_CURRENT_USER\Software\Desktop Security 2010

It connects to the following URL when the victim tries to register the fake security product.

  • desktop<REMOVED>center.com

-- Update May 04, 2010 --

A new variant of this thread has been discovered recently, which shows the following characteristics:

Once executed, the malware drops a copy of itself with the following name:

  • %USERPROFILE%\Local Settings\Application data\av.exe
     (where %USERPROFILE% indicate the user profile directory, usually C:\Documents and Settings\username)

It also drop a file named "LNek" on this same directory with encrypted data stolen from the user.

The malware also disables the Windows firewall, automatic updates and any security notifications from Windows

Creates a system mutex to avoid being executed more than once:

  • cu43yxio32zdl11

Create the following registry keys:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum\0 = "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Identity = 0x4E7F89D2
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command\ = ""%USERPROFILE%\Local Settings\Application data\av.exe" /START "%1" %*"
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command\IsolatedCommand = ""%1" %*"
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command\ = ""%1" %*"
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command\IsolatedCommand = ""%1" %*"
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\start\command\ = ""%1" %*"
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\start\command\IsolatedCommand = ""%1" %*"
  • HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon\ = "%1"
  • HKEY_CURRENT_USER\Software\Classes\.exe\ = "secfile"
  • HKEY_CURRENT_USER\Software\Classes\.exe\Content Type = "application/x-msdownload"
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command\ = ""USERPROFILE%\Local Settings\Application data\av.exe" /START "%1" %*"
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command\IsolatedCommand = ""%1" %*"
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas\command\ = ""%1" %*"
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas\command\IsolatedCommand = ""%1" %*"
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\start\command\ = ""%1" %*"
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\start\command\IsolatedCommand = ""%1" %*"
  • HKEY_CURRENT_USER\Software\Classes\secfile\DefaultIcon\ = "%1"
  • HKEY_CURRENT_USER\Software\Classes\secfile\ = "Application"
  • HKEY_CURRENT_USER\Software\Classes\secfile\Content Type = "application/x-msdownload"


It also modify the following registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\ = ""%USERPROFILE%\Local Settings\Application data\av.exe" /START "C:\Arquivos de programas\Internet Explorer\iexplore.exe""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify = 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify = 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify = 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride = 0x00000001


After a while, it starts to show fake messages saying the system is infected with numerous viruses. The main window can have many names, including:

  • XP Antivirus Pro
  • XP Internet Security 2010
  • XP Guardian
  • Antivirus XP 2010

 

It can also show fake pop up messages informing the user's computer is at risk:

 

 

As other fake antivirus softwares, this one ask the user to register before allowing the viruses to be removed. This registration only has the intention of stealing the user's credit card information, as no virus exists on the user's system but the fake antivirus.

 

The malware also tries do contact any of the following domains, which may allow it to download additional malicious program to the infected machine:

  • pc-winlive.com
  • pccare-live.com
  • pc-windowslive.com
  • pcwindows-live.com
  • pcguard20-10.com
  • pc-winlive2010.com
  • pc-windows-live.com
  • pc-guard-20-10.com
  • pcwinlive.com
  • pc-carelive.com
  • pc-win-live-2010.com
  • pc-winlive-2010.com
  • pcwinlive-2010.com
  • lionerduvoska.com
  • gertunilosab.com
  • vionertugafe.com
  • nasedruvalkol.com
  • skajirnovaya.com
  • ellasotkamatu.com
  • kovanertuga.com
  • munkertulibo.com
  • iposkadertuv.com
  • neobkasederdu.com

 

-- Update December 17, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:  http://www.theregister.co.uk/2009/12/16/google_doodle_scareware/

--

When executed, this trojan creates the following folders:

  • C:\Documents and Settings\Administrator\Application Data\Internet Antivirus Pro
  • C:\Documents and Settings\Administrator\Application Data\Internet Antivirus Pro\db
  • C:\Documents and Settings\All Users\Start Menu\Programs\Internet Antivirus Pro
  • C:\Program Files\Internet Antivirus Pro
  • C:\Program Files\Internet Antivirus Pro\db
  • C:\Program Files\Internet Antivirus Pro\Languages

It then drops the following files:

  • %Appdata%\Internet Antivirus Pro\db\config.cfg
  • %Appdata%\Internet Antivirus Pro\db\Timeout.inf
  • %Appdata%\Internet Antivirus Pro\db\Urls.inf
  • %Appdata%\Microsoft\Internet Explorer\Quick Launch\Internet Antivirus Pro.lnk
  • %Appdata%\Microsoft\Windows\winlogon.exe
  • %AllUserProfile%\Desktop\Internet Antivirus Pro.lnk
  • %AllUserProfile%\Start Menu\Programs\Internet Antivirus Pro\Internet Antivirus Pro Home Page.lnk
  • %AllUserProfile%\Start Menu\Programs\Internet Antivirus Pro\Internet Antivirus ro.lnk
  • %AllUserProfile%\Start Menu\Programs\Internet Antivirus Pro\Purchase License.lnk
  • %AllUserProfile%\Start Menu\Programs\Internet Antivirus Pro\Uninstall  Internet Antivirus Pro.lnk
  • C:\Program Files\Common Files\118172char.exe
  • C:\Program Files\Common Files\222507paint.exe
  • C:\Program Files\Common Files\715805calc.exe
  • C:\Program Files\Internet Antivirus Pro\activate.ico
  • C:\Program Files\Internet Antivirus Pro\Explorer.ico
  • C:\Program Files\Internet Antivirus Pro\IAPro.exe
  • C:\Program Files\Internet Antivirus Pro\unins000.dat
  • C:\Program Files\Internet Antivirus Pro\unins000.exe
  • C:\Program Files\Internet Antivirus Pro\uninstall.ico
  • C:\Program Files\Internet Antivirus Pro\working.log
  • C:\Program Files\Internet Antivirus Pro\db\DBInfo.ver
  • C:\Program Files\Internet Antivirus Pro\db\ia080614.db
  • C:\Program Files\Internet Antivirus Pro\db\ia080618x.db
  • C:\Program Files\Internet Antivirus Pro\db\ia091024r.db
  • C:\Program Files\Internet Antivirus Pro\db\ia190908g.db
  • C:\Program Files\Internet Antivirus Pro\db\lists.ini
  • C:\Program Files\Internet Antivirus Pro\db\WMILib.dll
  • C:\Program Files\Internet Antivirus Pro\Languages\IAEs.lng
  • C:\Program Files\Internet Antivirus Pro\Languages\IAFr.lng
  • C:\Program Files\Internet Antivirus Pro\Languages\IAGer.lng
  • C:\Program Files\Internet Antivirus Pro\Languages\IAIt.lng

It then modifies the following registry entries:

  • Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\Run "Microsoft Windows logon process"
    Type: REG_SZ
    Data: C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\winlogon.exe
  • Hkey_Local_Machine\Software\Microsoft\Security Center "AVPath"
    Type: REG_SZ
    Data: \\.\root\SecurityCenter:AntiVirusProduct.instanceGuid="{99C4A26C-27A1-46FD-AD5A-C3CA07B70D26}"
  • Hkey_Local_Machine\Software\Microsoft\Security Center "AntiVirusDisableNotify"
    Data: 00
  • Hkey_Local_Machine\Software\Microsoft\Security Center "FirewallDisableNotify"
    Data: 00
  • Hkey_Local_Machine\Software\Microsoft\Security Center "FirstRunDisabled"
    Data: 00
  • Hkey_Local_Machine\Software\Microsoft\Security Center "UpdatesDisableNotify"
    Data: 00

The trojan will then run an exaggerated scan on the machine and generate false detection alerts. This is done to persuade the user into purchasing a full version of the software to clean the malware that the trojan falsely detected.

Symptoms

Presence of files and registry entries mentioned earlier

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

Variants

    N/A

All Information

Overview -

This description is for a malware that shows false error messages, misleading spyware scan results, and uses aggressive advertising to persuade the user to purchase it.

Aliases

  • Mal/FakeAV-BP [Sophos]
  • Trojan.Fakealert.8559 [Dr.Web]
  • Trojan:Win32/InternetAntivirus [Microsoft]

Characteristics

Characteristics -

---- Updated June 16, 2010 ---

File Information –

    • MD5 - 7d7e604d52badfd5db140b71612292b4
    • SHA1 - d2eaaa3b735216c0c98ffdcaac10cae00031e86d

Aliases –

    • Avp - Trojan.Win32.FraudPack.cmpg
    • f-secure - MemScan:Trojan.Generic.5709906
    • msmp - ~VirTool:Win32/Obfuscator.XX
    • nav - VirusDoctor!gen1

Upon execution, the Trojan drops files into the following location

    • %Temp%\[random name].exe
    • %Temp%\del.bat

The Trojan connects to the following malicious sites:

    • tdncgo[removed].com
    • trdata[removed].com
    • fra[removed].net
    • websec[removed].com

After a while, the Trojan starts to show fake messages saying the system is infected with numerous viruses. The main window can have many names, including:

    • secure-guard.com
    • smart-security.net
    • security-guard.com
    • guard-smart.net
    • guard-shield.net
    • smart-protection.com
    • security-server.com
    • protection-smart.net

The Trojan searches for the following antivirus processes and other security related processes, if it found the Trojan tries to kill these applications.

    • msseces.exe
    • MSASCui.exe
    • ekrn.exe
    • egui.exe
    • avgnt.exe
    • avcenter.exe
    • avscan.exe
    • avgfrw.exe
    • avgui.exe
    • avgtray.exe
    • avgscanx.exe
    • avgcfgex.exe
    • avgemc.exe
    • avgchsvx.exe
    • avgcmgr.exe
    • avgwdsvc.exe winss.exe
    • WinSSUI.exe
    • OcHealthMon.exe
    • winssnotify.exe
    • MsMpEng.exe
    • msfwsvc.exe

The Trojan creates a mutex with the name "oleacc-msaa-loaded , to ensure only one instance of the Trojan is running at a time.

Note : [%Temp% - C:\Documents and Settings\[User Name]\Local Settings\Temp]]

----------

-- Update May 17, 2010 --

A new variant of this thread has been discovered recently, which shows the following characteristics:

 

On execution the malware creates the following files

  •  c:\Documents and Settings\Administrator\Local Settings\Temp\02c9c3c35bdx5.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\17dkf.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\1iowieoo.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\2010yo.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\472a10e2ebxd9.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\56493.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\8gmsed-bd.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\a75wef8e0e7.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\ae0965a7157cd.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\al3erfa3.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\aler3fa.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\alerfa.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\alerfa2.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\alerfa322.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\aqfitrlxi2.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\backd-efq.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\brdss.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\bzqa43d.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\cffd4.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\cocksucker.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\cosock.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\cunifuc.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\dc_3.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\dd10x10.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\ddhelp.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\ddoll3342.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\destroyer.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\dffuck.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\dkfjd93.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\ds7hw.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\dwl_bqz.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\eelnvd13.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\eephilpe.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\exppdf_w.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\fadz43.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\fe.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\format.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\g_dx234.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\gedx_ae09.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\gpupz2a.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\gpws_y-bbg.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\hardwh.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\hhbboll_2.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\hiphop.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\hjkgfddd.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\hodeme.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\htfad4.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\hvipws9.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\jdhellwo3.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\jkfuckjs.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\jofcdks.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\kgn.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\kilslmd.exex
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\kjdh_gf_jjdhgd.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\kjh102k3.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\kn.a.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\kock.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\ljts-23.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\lkhgg_ea.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\lols.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\lorsk.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\ploper.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\poertd.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\ppddfcfux.exxe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\pswwg3c.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\puzpup.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\qwedvor.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\qwklrvjhqlkj.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\r0life.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\rator.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\rsrtd12.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\rtfme.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\safe.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\snowif.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\sycre.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\test.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\timem.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\w32-reno-c.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\warsddd_w.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\wefgetn_00.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\wergfq.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\wined.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\winlogoff.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\wqefqw7e.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\wrcud12.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\wrfwe_di.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\wwautrsd.exe
  •  c:\Documents and Settings\Administrator\Local Settings\Temp\wwwsssgen.exe

The following registry entries were created by the malware

  • HKEY_CURRENT_USER\Software\Desktop Security 2010

It connects to the following URL when the victim tries to register the fake security product.

  • desktop<REMOVED>center.com

-- Update May 04, 2010 --

A new variant of this thread has been discovered recently, which shows the following characteristics:

Once executed, the malware drops a copy of itself with the following name:

  • %USERPROFILE%\Local Settings\Application data\av.exe
     (where %USERPROFILE% indicate the user profile directory, usually C:\Documents and Settings\username)

It also drop a file named "LNek" on this same directory with encrypted data stolen from the user.

The malware also disables the Windows firewall, automatic updates and any security notifications from Windows

Creates a system mutex to avoid being executed more than once:

  • cu43yxio32zdl11

Create the following registry keys:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum\0 = "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Identity = 0x4E7F89D2
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command\ = ""%USERPROFILE%\Local Settings\Application data\av.exe" /START "%1" %*"
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command\IsolatedCommand = ""%1" %*"
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command\ = ""%1" %*"
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command\IsolatedCommand = ""%1" %*"
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\start\command\ = ""%1" %*"
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\start\command\IsolatedCommand = ""%1" %*"
  • HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon\ = "%1"
  • HKEY_CURRENT_USER\Software\Classes\.exe\ = "secfile"
  • HKEY_CURRENT_USER\Software\Classes\.exe\Content Type = "application/x-msdownload"
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command\ = ""USERPROFILE%\Local Settings\Application data\av.exe" /START "%1" %*"
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command\IsolatedCommand = ""%1" %*"
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas\command\ = ""%1" %*"
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas\command\IsolatedCommand = ""%1" %*"
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\start\command\ = ""%1" %*"
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\start\command\IsolatedCommand = ""%1" %*"
  • HKEY_CURRENT_USER\Software\Classes\secfile\DefaultIcon\ = "%1"
  • HKEY_CURRENT_USER\Software\Classes\secfile\ = "Application"
  • HKEY_CURRENT_USER\Software\Classes\secfile\Content Type = "application/x-msdownload"


It also modify the following registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\ = ""%USERPROFILE%\Local Settings\Application data\av.exe" /START "C:\Arquivos de programas\Internet Explorer\iexplore.exe""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify = 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify = 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify = 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride = 0x00000001


After a while, it starts to show fake messages saying the system is infected with numerous viruses. The main window can have many names, including:

  • XP Antivirus Pro
  • XP Internet Security 2010
  • XP Guardian
  • Antivirus XP 2010

 

It can also show fake pop up messages informing the user's computer is at risk:

 

 

As other fake antivirus softwares, this one ask the user to register before allowing the viruses to be removed. This registration only has the intention of stealing the user's credit card information, as no virus exists on the user's system but the fake antivirus.

 

The malware also tries do contact any of the following domains, which may allow it to download additional malicious program to the infected machine:

  • pc-winlive.com
  • pccare-live.com
  • pc-windowslive.com
  • pcwindows-live.com
  • pcguard20-10.com
  • pc-winlive2010.com
  • pc-windows-live.com
  • pc-guard-20-10.com
  • pcwinlive.com
  • pc-carelive.com
  • pc-win-live-2010.com
  • pc-winlive-2010.com
  • pcwinlive-2010.com
  • lionerduvoska.com
  • gertunilosab.com
  • vionertugafe.com
  • nasedruvalkol.com
  • skajirnovaya.com
  • ellasotkamatu.com
  • kovanertuga.com
  • munkertulibo.com
  • iposkadertuv.com
  • neobkasederdu.com

 

-- Update December 17, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:  http://www.theregister.co.uk/2009/12/16/google_doodle_scareware/

--

When executed, this trojan creates the following folders:

  • C:\Documents and Settings\Administrator\Application Data\Internet Antivirus Pro
  • C:\Documents and Settings\Administrator\Application Data\Internet Antivirus Pro\db
  • C:\Documents and Settings\All Users\Start Menu\Programs\Internet Antivirus Pro
  • C:\Program Files\Internet Antivirus Pro
  • C:\Program Files\Internet Antivirus Pro\db
  • C:\Program Files\Internet Antivirus Pro\Languages

It then drops the following files:

  • %Appdata%\Internet Antivirus Pro\db\config.cfg
  • %Appdata%\Internet Antivirus Pro\db\Timeout.inf
  • %Appdata%\Internet Antivirus Pro\db\Urls.inf
  • %Appdata%\Microsoft\Internet Explorer\Quick Launch\Internet Antivirus Pro.lnk
  • %Appdata%\Microsoft\Windows\winlogon.exe
  • %AllUserProfile%\Desktop\Internet Antivirus Pro.lnk
  • %AllUserProfile%\Start Menu\Programs\Internet Antivirus Pro\Internet Antivirus Pro Home Page.lnk
  • %AllUserProfile%\Start Menu\Programs\Internet Antivirus Pro\Internet Antivirus ro.lnk
  • %AllUserProfile%\Start Menu\Programs\Internet Antivirus Pro\Purchase License.lnk
  • %AllUserProfile%\Start Menu\Programs\Internet Antivirus Pro\Uninstall  Internet Antivirus Pro.lnk
  • C:\Program Files\Common Files\118172char.exe
  • C:\Program Files\Common Files\222507paint.exe
  • C:\Program Files\Common Files\715805calc.exe
  • C:\Program Files\Internet Antivirus Pro\activate.ico
  • C:\Program Files\Internet Antivirus Pro\Explorer.ico
  • C:\Program Files\Internet Antivirus Pro\IAPro.exe
  • C:\Program Files\Internet Antivirus Pro\unins000.dat
  • C:\Program Files\Internet Antivirus Pro\unins000.exe
  • C:\Program Files\Internet Antivirus Pro\uninstall.ico
  • C:\Program Files\Internet Antivirus Pro\working.log
  • C:\Program Files\Internet Antivirus Pro\db\DBInfo.ver
  • C:\Program Files\Internet Antivirus Pro\db\ia080614.db
  • C:\Program Files\Internet Antivirus Pro\db\ia080618x.db
  • C:\Program Files\Internet Antivirus Pro\db\ia091024r.db
  • C:\Program Files\Internet Antivirus Pro\db\ia190908g.db
  • C:\Program Files\Internet Antivirus Pro\db\lists.ini
  • C:\Program Files\Internet Antivirus Pro\db\WMILib.dll
  • C:\Program Files\Internet Antivirus Pro\Languages\IAEs.lng
  • C:\Program Files\Internet Antivirus Pro\Languages\IAFr.lng
  • C:\Program Files\Internet Antivirus Pro\Languages\IAGer.lng
  • C:\Program Files\Internet Antivirus Pro\Languages\IAIt.lng

It then modifies the following registry entries:

  • Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\Run "Microsoft Windows logon process"
    Type: REG_SZ
    Data: C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\winlogon.exe
  • Hkey_Local_Machine\Software\Microsoft\Security Center "AVPath"
    Type: REG_SZ
    Data: \\.\root\SecurityCenter:AntiVirusProduct.instanceGuid="{99C4A26C-27A1-46FD-AD5A-C3CA07B70D26}"
  • Hkey_Local_Machine\Software\Microsoft\Security Center "AntiVirusDisableNotify"
    Data: 00
  • Hkey_Local_Machine\Software\Microsoft\Security Center "FirewallDisableNotify"
    Data: 00
  • Hkey_Local_Machine\Software\Microsoft\Security Center "FirstRunDisabled"
    Data: 00
  • Hkey_Local_Machine\Software\Microsoft\Security Center "UpdatesDisableNotify"
    Data: 00

The trojan will then run an exaggerated scan on the machine and generate false detection alerts. This is done to persuade the user into purchasing a full version of the software to clean the malware that the trojan falsely detected.

Symptoms

Symptoms -

Presence of files and registry entries mentioned earlier

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

Variants -

    N/A