Content

FakeAlert-AntiVirusPro

Type
Trojan
SubType
Win32
Discovery Date
03/25/2008
Length
Varies
Minimum DAT
5259 (03/25/2008)
Updated DAT
5895 (02/17/2010)
Minimum Engine
5.3.00
Description Added
03/25/2008
Description Modified
12/17/2009 5:00 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update December 17, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:  http://www.theregister.co.uk/2009/12/16/google_doodle_scareware/

--

When executed, this trojan creates the following folders:

  • C:\Documents and Settings\Administrator\Application Data\Internet Antivirus Pro
  • C:\Documents and Settings\Administrator\Application Data\Internet Antivirus Pro\db
  • C:\Documents and Settings\All Users\Start Menu\Programs\Internet Antivirus Pro
  • C:\Program Files\Internet Antivirus Pro
  • C:\Program Files\Internet Antivirus Pro\db
  • C:\Program Files\Internet Antivirus Pro\Languages

It then drops the following files:

  • %Appdata%\Internet Antivirus Pro\db\config.cfg
  • %Appdata%\Internet Antivirus Pro\db\Timeout.inf
  • %Appdata%\Internet Antivirus Pro\db\Urls.inf
  • %Appdata%\Microsoft\Internet Explorer\Quick Launch\Internet Antivirus Pro.lnk
  • %Appdata%\Microsoft\Windows\winlogon.exe
  • %AllUserProfile%\Desktop\Internet Antivirus Pro.lnk
  • %AllUserProfile%\Start Menu\Programs\Internet Antivirus Pro\Internet Antivirus Pro Home Page.lnk
  • %AllUserProfile%\Start Menu\Programs\Internet Antivirus Pro\Internet Antivirus ro.lnk
  • %AllUserProfile%\Start Menu\Programs\Internet Antivirus Pro\Purchase License.lnk
  • %AllUserProfile%\Start Menu\Programs\Internet Antivirus Pro\Uninstall  Internet Antivirus Pro.lnk
  • C:\Program Files\Common Files\118172char.exe
  • C:\Program Files\Common Files\222507paint.exe
  • C:\Program Files\Common Files\715805calc.exe
  • C:\Program Files\Internet Antivirus Pro\activate.ico
  • C:\Program Files\Internet Antivirus Pro\Explorer.ico
  • C:\Program Files\Internet Antivirus Pro\IAPro.exe
  • C:\Program Files\Internet Antivirus Pro\unins000.dat
  • C:\Program Files\Internet Antivirus Pro\unins000.exe
  • C:\Program Files\Internet Antivirus Pro\uninstall.ico
  • C:\Program Files\Internet Antivirus Pro\working.log
  • C:\Program Files\Internet Antivirus Pro\db\DBInfo.ver
  • C:\Program Files\Internet Antivirus Pro\db\ia080614.db
  • C:\Program Files\Internet Antivirus Pro\db\ia080618x.db
  • C:\Program Files\Internet Antivirus Pro\db\ia091024r.db
  • C:\Program Files\Internet Antivirus Pro\db\ia190908g.db
  • C:\Program Files\Internet Antivirus Pro\db\lists.ini
  • C:\Program Files\Internet Antivirus Pro\db\WMILib.dll
  • C:\Program Files\Internet Antivirus Pro\Languages\IAEs.lng
  • C:\Program Files\Internet Antivirus Pro\Languages\IAFr.lng
  • C:\Program Files\Internet Antivirus Pro\Languages\IAGer.lng
  • C:\Program Files\Internet Antivirus Pro\Languages\IAIt.lng

It then modifies the following registry entries:

  • Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\Run "Microsoft Windows logon process"
    Type: REG_SZ
    Data: C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\winlogon.exe
  • Hkey_Local_Machine\Software\Microsoft\Security Center "AVPath"
    Type: REG_SZ
    Data: \\.\root\SecurityCenter:AntiVirusProduct.instanceGuid="{99C4A26C-27A1-46FD-AD5A-C3CA07B70D26}"
  • Hkey_Local_Machine\Software\Microsoft\Security Center "AntiVirusDisableNotify"
    Data: 00
  • Hkey_Local_Machine\Software\Microsoft\Security Center "FirewallDisableNotify"
    Data: 00
  • Hkey_Local_Machine\Software\Microsoft\Security Center "FirstRunDisabled"
    Data: 00
  • Hkey_Local_Machine\Software\Microsoft\Security Center "UpdatesDisableNotify"
    Data: 00

The trojan will then run an exaggerated scan on the machine and generate false detection alerts. This is done to persuade the user into purchasing a full version of the software to clean the malware that the trojan falsely detected.

Symptoms

Presence of files and registry entries mentioned earlier

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This description is for a malware that shows false error messages, misleading spyware scan results, and uses aggressive advertising to persuade the user to purchase it.

Aliases

  • Mal/FakeAV-BP [Sophos]
  • Trojan.Fakealert.8559 [Dr.Web]
  • Trojan:Win32/InternetAntivirus [Microsoft]

Characteristics

Characteristics -

-- Update December 17, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:  http://www.theregister.co.uk/2009/12/16/google_doodle_scareware/

--

When executed, this trojan creates the following folders:

  • C:\Documents and Settings\Administrator\Application Data\Internet Antivirus Pro
  • C:\Documents and Settings\Administrator\Application Data\Internet Antivirus Pro\db
  • C:\Documents and Settings\All Users\Start Menu\Programs\Internet Antivirus Pro
  • C:\Program Files\Internet Antivirus Pro
  • C:\Program Files\Internet Antivirus Pro\db
  • C:\Program Files\Internet Antivirus Pro\Languages

It then drops the following files:

  • %Appdata%\Internet Antivirus Pro\db\config.cfg
  • %Appdata%\Internet Antivirus Pro\db\Timeout.inf
  • %Appdata%\Internet Antivirus Pro\db\Urls.inf
  • %Appdata%\Microsoft\Internet Explorer\Quick Launch\Internet Antivirus Pro.lnk
  • %Appdata%\Microsoft\Windows\winlogon.exe
  • %AllUserProfile%\Desktop\Internet Antivirus Pro.lnk
  • %AllUserProfile%\Start Menu\Programs\Internet Antivirus Pro\Internet Antivirus Pro Home Page.lnk
  • %AllUserProfile%\Start Menu\Programs\Internet Antivirus Pro\Internet Antivirus ro.lnk
  • %AllUserProfile%\Start Menu\Programs\Internet Antivirus Pro\Purchase License.lnk
  • %AllUserProfile%\Start Menu\Programs\Internet Antivirus Pro\Uninstall  Internet Antivirus Pro.lnk
  • C:\Program Files\Common Files\118172char.exe
  • C:\Program Files\Common Files\222507paint.exe
  • C:\Program Files\Common Files\715805calc.exe
  • C:\Program Files\Internet Antivirus Pro\activate.ico
  • C:\Program Files\Internet Antivirus Pro\Explorer.ico
  • C:\Program Files\Internet Antivirus Pro\IAPro.exe
  • C:\Program Files\Internet Antivirus Pro\unins000.dat
  • C:\Program Files\Internet Antivirus Pro\unins000.exe
  • C:\Program Files\Internet Antivirus Pro\uninstall.ico
  • C:\Program Files\Internet Antivirus Pro\working.log
  • C:\Program Files\Internet Antivirus Pro\db\DBInfo.ver
  • C:\Program Files\Internet Antivirus Pro\db\ia080614.db
  • C:\Program Files\Internet Antivirus Pro\db\ia080618x.db
  • C:\Program Files\Internet Antivirus Pro\db\ia091024r.db
  • C:\Program Files\Internet Antivirus Pro\db\ia190908g.db
  • C:\Program Files\Internet Antivirus Pro\db\lists.ini
  • C:\Program Files\Internet Antivirus Pro\db\WMILib.dll
  • C:\Program Files\Internet Antivirus Pro\Languages\IAEs.lng
  • C:\Program Files\Internet Antivirus Pro\Languages\IAFr.lng
  • C:\Program Files\Internet Antivirus Pro\Languages\IAGer.lng
  • C:\Program Files\Internet Antivirus Pro\Languages\IAIt.lng

It then modifies the following registry entries:

  • Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\Run "Microsoft Windows logon process"
    Type: REG_SZ
    Data: C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\winlogon.exe
  • Hkey_Local_Machine\Software\Microsoft\Security Center "AVPath"
    Type: REG_SZ
    Data: \\.\root\SecurityCenter:AntiVirusProduct.instanceGuid="{99C4A26C-27A1-46FD-AD5A-C3CA07B70D26}"
  • Hkey_Local_Machine\Software\Microsoft\Security Center "AntiVirusDisableNotify"
    Data: 00
  • Hkey_Local_Machine\Software\Microsoft\Security Center "FirewallDisableNotify"
    Data: 00
  • Hkey_Local_Machine\Software\Microsoft\Security Center "FirstRunDisabled"
    Data: 00
  • Hkey_Local_Machine\Software\Microsoft\Security Center "UpdatesDisableNotify"
    Data: 00

The trojan will then run an exaggerated scan on the machine and generate false detection alerts. This is done to persuade the user into purchasing a full version of the software to clean the malware that the trojan falsely detected.

Symptoms

Symptoms -

Presence of files and registry entries mentioned earlier

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A