Content

FakeAlert-XPSecCenter

Type
Trojan
SubType
Win32
Discovery Date
07/01/2008
Length
Varies
Minimum DAT
5330 (07/02/2008)
Updated DAT
5794 (11/06/2009)
Minimum Engine
5.1.00
Description Added
07/01/2008
Description Modified
09/16/2009 6:26 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

FakeAlert-XPSecurityCenter was previously detected as Generic FakeAlert.a

FakeAlert-XPSecurityCenter is a fake Antispyware product which upon installation displays no EULA and simply states the following message.

The initial installer downloads three Zipped files from hxxp://www.xpsecuritycenter.com. These zipped files contain files which the application depends on including some legitimate DLL files. The downloaded zipped files are:

  • Binaries1.zip
  • Binaries2.zip
  • Binaries3.zip

The unzipped files are placed into %ProgramFiles%\XPSecurityCenter.

The following files are added:

  • %ProgramFiles%\XPSecurityCenter\data\daily.cvd
  • %ProgramFiles%\XPSecurityCenter\htmlayout.dll
  • %ProgramFiles%\XPSecurityCenter\install.exe
  • %ProgramFiles%\XPSecurityCenter\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
  • %ProgramFiles%\XPSecurityCenter\Microsoft.VC80.CRT\msvcm80.dll
  • %ProgramFiles%\XPSecurityCenter\Microsoft.VC80.CRT\msvcp80.dll
  • %ProgramFiles%\XPSecurityCenter\Microsoft.VC80.CRT\msvcr80.dll
  • %ProgramFiles%\XPSecurityCenter\pthreadVC2.dll
  • %ProgramFiles%\XPSecurityCenter\un.ico
  • %ProgramFiles%\XPSecurityCenter\unzip32.dll
  • %ProgramFiles%\XPSecurityCenter\XPSecurityCenter.dll
  • %ProgramFiles%\XPSecurityCenter\XPSecurityCenter.exe

 

%ProgramFiles%\XPSecurityCenter\XPSecurityCenter.exe is executed and during loading the application creates the following registry entires:

  • HKEY_LOCAL_MACHINE\SOFTWARE\XP_SecurityCenter
  • HKEY_LOCAL_MACHINE\SOFTWARE\XP_SecurityCenter\info: [Installation Date]
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XP SecurityCenter: ""C:\Program Files\XPSecurityCenter\XPSecurityCenter.exe" /hide"

At this point the application starts executing. As the appliation starts its system scan, it drops randomly named files which are then displayed as malware in the detection scan

Some of the randomly named files dropped by FakeAlert-XPSecurityCenter during its system scan are:

%DocSetting%\[User Name]\Application Data\vipytajugo._dl
%DocSetting%\[User Name]\Cookies\jatis.sys
%DocSetting%\[User Name]\Local Settings\Application Data\olypyzude.bin
%DocSetting%\[User Name]\Local Settings\Application Data\ycoh.inf
%DocSetting%\[User Name]\Local Settings\Temp\Perflib_Perfdata_280.dat
%DocSetting%\[User Name]\Local Settings\Temporary Internet Files\aqit._dl
%DocSetting%\All Users\Documents\dabog._sy
%DocSetting%\All Users\Documents\obiwigojol.vbs
%DocSetting%\All Users\Documents\uvarysu._sy
%WinDir%\jibonu.ban
%WinDir%\juvyxigu.dat
%WinDir%\ozuh.dll
%WinDir%\sozeb.dat
%WinDir%\sucehamibu.ban
%WinDir%wavifofow._sy
%WinDir%\ydylac._sy

NOTE: These files names were observed during our analysis. The random names vary for every installation.

The fake scanner also stores information about the random files that are dropped and detected by it. After the scan, a message is displayed telling them of system infections. It prompts the user to register and purchase their product in order to clean their machines.

If a user closes the above window, the program continutes to run in memory. At regular intervals it displays fake alert baloon messages as follows:

 

The following are alert messages have been observed:

  • System warning!
    • Self-restoring Trojan virus that can lead to total system crash has been detected on your PC. Click here to remove this harmful virus immediately with the latest version of XP Security Center.
  • System message!
    • Malicious spyware that can harm your system has been detected on your PC. Click here to remove this riskware immedately with latest version of XP Security Center.
  • System message!
    • Intercepting programs that may compromise your privacy and harm your system has been detected on your PC. Click here to remove them immedately with the latest version of XP Security Center.

The following are some hard coded detection names that are displayed as detection for the randomly dropped files:

  • AceBot
  • A-Trojan 2.0
  • Adware.IpWins
  • BackWebLite
  • Adlogix
  • Advware.Adstart.b
  • Msiebho
  • MPower
  • NavExcel
  • PerMedia
  • PopMonster Description
  • Backdoor.IRCBot
  • Backdoor.Lithium
  • Backdoor.Nucledor
  • Backdoor.Mechbot
  • Backdoor.Agobot.agl
  • Akbot
  • NetTrojan
  • ibis toolbar
  • Findwhatever
  • Hmtoolbar
  • eStart
  • GonnaSearch
  • MWSearch
  • OrbitExplorer
  • PowerStrip
  • SpotOn
  • Proxybar
  • Cram Toolbar
  • DOS 10.b.15
  • DL Flooder
  • Bomb 2
  • Dark Hate 3.6
  • Boo Bomber 2
  • Flooder.Chat.Ghcif
  • DTrumpet PING
  • Backdoor.IRC.Flood
  • AngryPing
  • Flooder.AOL.Ikobur
  • ACXInstall
  • Dropper-Delf
  • Exploit.winamp.pls
  • Mal/Iframe
  • First4DRM
  • Virtool.DoS.Synte.A
  • Envolo
  • Aenima
  • Fake-Mailer
  • AdStartup
  • Adware.BHO.je
  • Backdoor.Hupigon.mqe
  • Adrotator.IconAds
  • BookedSpace
  • Adware.ZToolbar
  • E2Give
  • MeridianPopUpper
  • SearchFast
  • Iggsey Toolbar

It has been observed that FakeAlert-XPSecurityCenter is using an API from the opensource anti-virus tool kit ClamAV.

Symptoms

The presence of the mentioned Fake Messages

Method of Infection

We have observed installation by manual methods.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

FakeAlert-XPSecurityCenter once installed on a system will generate fake messages of infection. It encourages the user to purchase a registered copy of their product in order to clean infections. Unsuspecting users may get enticed by the use of such scare tactics.

Aliases

  • FakeAlert-XPSecCenter
  • FakeAlert-XPSecurityCenter

Characteristics

Characteristics -

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

FakeAlert-XPSecurityCenter was previously detected as Generic FakeAlert.a

FakeAlert-XPSecurityCenter is a fake Antispyware product which upon installation displays no EULA and simply states the following message.

The initial installer downloads three Zipped files from hxxp://www.xpsecuritycenter.com. These zipped files contain files which the application depends on including some legitimate DLL files. The downloaded zipped files are:

  • Binaries1.zip
  • Binaries2.zip
  • Binaries3.zip

The unzipped files are placed into %ProgramFiles%\XPSecurityCenter.

The following files are added:

  • %ProgramFiles%\XPSecurityCenter\data\daily.cvd
  • %ProgramFiles%\XPSecurityCenter\htmlayout.dll
  • %ProgramFiles%\XPSecurityCenter\install.exe
  • %ProgramFiles%\XPSecurityCenter\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
  • %ProgramFiles%\XPSecurityCenter\Microsoft.VC80.CRT\msvcm80.dll
  • %ProgramFiles%\XPSecurityCenter\Microsoft.VC80.CRT\msvcp80.dll
  • %ProgramFiles%\XPSecurityCenter\Microsoft.VC80.CRT\msvcr80.dll
  • %ProgramFiles%\XPSecurityCenter\pthreadVC2.dll
  • %ProgramFiles%\XPSecurityCenter\un.ico
  • %ProgramFiles%\XPSecurityCenter\unzip32.dll
  • %ProgramFiles%\XPSecurityCenter\XPSecurityCenter.dll
  • %ProgramFiles%\XPSecurityCenter\XPSecurityCenter.exe

 

%ProgramFiles%\XPSecurityCenter\XPSecurityCenter.exe is executed and during loading the application creates the following registry entires:

  • HKEY_LOCAL_MACHINE\SOFTWARE\XP_SecurityCenter
  • HKEY_LOCAL_MACHINE\SOFTWARE\XP_SecurityCenter\info: [Installation Date]
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XP SecurityCenter: ""C:\Program Files\XPSecurityCenter\XPSecurityCenter.exe" /hide"

At this point the application starts executing. As the appliation starts its system scan, it drops randomly named files which are then displayed as malware in the detection scan

Some of the randomly named files dropped by FakeAlert-XPSecurityCenter during its system scan are:

%DocSetting%\[User Name]\Application Data\vipytajugo._dl
%DocSetting%\[User Name]\Cookies\jatis.sys
%DocSetting%\[User Name]\Local Settings\Application Data\olypyzude.bin
%DocSetting%\[User Name]\Local Settings\Application Data\ycoh.inf
%DocSetting%\[User Name]\Local Settings\Temp\Perflib_Perfdata_280.dat
%DocSetting%\[User Name]\Local Settings\Temporary Internet Files\aqit._dl
%DocSetting%\All Users\Documents\dabog._sy
%DocSetting%\All Users\Documents\obiwigojol.vbs
%DocSetting%\All Users\Documents\uvarysu._sy
%WinDir%\jibonu.ban
%WinDir%\juvyxigu.dat
%WinDir%\ozuh.dll
%WinDir%\sozeb.dat
%WinDir%\sucehamibu.ban
%WinDir%wavifofow._sy
%WinDir%\ydylac._sy

NOTE: These files names were observed during our analysis. The random names vary for every installation.

The fake scanner also stores information about the random files that are dropped and detected by it. After the scan, a message is displayed telling them of system infections. It prompts the user to register and purchase their product in order to clean their machines.

If a user closes the above window, the program continutes to run in memory. At regular intervals it displays fake alert baloon messages as follows:

 

The following are alert messages have been observed:

  • System warning!
    • Self-restoring Trojan virus that can lead to total system crash has been detected on your PC. Click here to remove this harmful virus immediately with the latest version of XP Security Center.
  • System message!
    • Malicious spyware that can harm your system has been detected on your PC. Click here to remove this riskware immedately with latest version of XP Security Center.
  • System message!
    • Intercepting programs that may compromise your privacy and harm your system has been detected on your PC. Click here to remove them immedately with the latest version of XP Security Center.

The following are some hard coded detection names that are displayed as detection for the randomly dropped files:

  • AceBot
  • A-Trojan 2.0
  • Adware.IpWins
  • BackWebLite
  • Adlogix
  • Advware.Adstart.b
  • Msiebho
  • MPower
  • NavExcel
  • PerMedia
  • PopMonster Description
  • Backdoor.IRCBot
  • Backdoor.Lithium
  • Backdoor.Nucledor
  • Backdoor.Mechbot
  • Backdoor.Agobot.agl
  • Akbot
  • NetTrojan
  • ibis toolbar
  • Findwhatever
  • Hmtoolbar
  • eStart
  • GonnaSearch
  • MWSearch
  • OrbitExplorer
  • PowerStrip
  • SpotOn
  • Proxybar
  • Cram Toolbar
  • DOS 10.b.15
  • DL Flooder
  • Bomb 2
  • Dark Hate 3.6
  • Boo Bomber 2
  • Flooder.Chat.Ghcif
  • DTrumpet PING
  • Backdoor.IRC.Flood
  • AngryPing
  • Flooder.AOL.Ikobur
  • ACXInstall
  • Dropper-Delf
  • Exploit.winamp.pls
  • Mal/Iframe
  • First4DRM
  • Virtool.DoS.Synte.A
  • Envolo
  • Aenima
  • Fake-Mailer
  • AdStartup
  • Adware.BHO.je
  • Backdoor.Hupigon.mqe
  • Adrotator.IconAds
  • BookedSpace
  • Adware.ZToolbar
  • E2Give
  • MeridianPopUpper
  • SearchFast
  • Iggsey Toolbar

It has been observed that FakeAlert-XPSecurityCenter is using an API from the opensource anti-virus tool kit ClamAV.

Symptoms

Symptoms -

The presence of the mentioned Fake Messages

Method of Infection

Method of Infection -

We have observed installation by manual methods.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A