McAfee > Theat Center > Virus Detail Page

Overview

Characteristics

Upon execution, the trojan drops the following file.

• %System%\pphcg5fj0e58c.exe (detected as FakeAlert-AQ trojan)

Note:
%System% is a variable location and refers to the windows system directory.

It modifies the following registry keys:

• HKEY_LOCAL_MACHINE\SOFTWARE\rhcl5fj0e58c
  "InstallationID" = {3B9E4738-F2B0-483E-B2A5-ABD569906A8C}
  "MGuid" = {43EB2598-7E2D-46EB-B1B2-7F8DDA1AE2EB}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
  "rhcl5fj0e58c" =  (binary value)

The trojan creates the following folders:

• %UserProfile%\Application Data\rhcl5fj0e58c
• %UserProfile%\Application Data\rhcl5fj0e58c\Quarantine
• %UserProfile%\Application Data\rhcl5fj0e58c\Quarantine\Autorun
• %UserProfile%\Application Data\rhcl5fj0e58c\Quarantine\Autorun\HKCU
• %UserProfile%\Application Data\rhcl5fj0e58c\Quarantine\Autorun\HKCU\RunOnce
• %UserProfile%\Application Data\rhcl5fj0e58c\Quarantine\Autorun\HKLM
• %UserProfile%\Application Data\rhcl5fj0e58c\Quarantine\Autorun\HKLM\RunOnce
• %UserProfile%\Application Data\rhcl5fj0e58c\Quarantine\Autorun\StartMenuAllUsers
• %UserProfile%\ApplicationData\rhcl5fj0e58c\Quarantine\Autorun\StartMenuCurrentUser
• %UserProfile%\Application Data\rhcl5fj0e58c\Quarantine\BrowserObjects
• %UserProfile%\Application Data\rhcl5fj0e58c\Quarantine\Packages

Note:
%UserProfile% is a variable location and refers to the user's profile folder.

The trojan monitors Internet Explorer and shows the following alert page when one of the following sites are accessed.

This redirects to the url "http://www.malwareprotector2008.com"

site list

• 56.com
• about.com
• adobe.com
• adultfriendfinder.com
• amazon.com
• aol.com
• apple.com
• blogger.com
• craigslist.com
• deviantart.com
• download.com
• ebay.com
• facebook.com
• flickr.com
• friendster.com
• gamespot.com
• geocities.com
• go.com
• google
• google.com
• hi5.com
• imagevenue.com
• imdb.com
• live.com
• livejournal.com
• mac.com
• mediafire.com
• megaupload.com
• microsoft.com
• mininova.com
• msn.com
• myspace.com
• nytimes.com
• orkut.com
• partypoker.com
• photobucket.com
• rapidshare.com
• redtube.com
• skyrock.com
• tinyurl.com
• wikipedia.org
• wordpress.com
• yahoo.com
• youporn.com
• yourfilehost.com
  

Symptoms

• Presence of the mentioned files and registry keys.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a detection for a trojan that displays misleading fake alerts to entice the user into buying a product to "repair" malware problems.

Characteristics

Characteristics -

Upon execution, the trojan drops the following file.

• %System%\pphcg5fj0e58c.exe (detected as FakeAlert-AQ trojan)

Note:
%System% is a variable location and refers to the windows system directory.

It modifies the following registry keys:

• HKEY_LOCAL_MACHINE\SOFTWARE\rhcl5fj0e58c
  "InstallationID" = {3B9E4738-F2B0-483E-B2A5-ABD569906A8C}
  "MGuid" = {43EB2598-7E2D-46EB-B1B2-7F8DDA1AE2EB}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
  "rhcl5fj0e58c" =  (binary value)

The trojan creates the following folders:

• %UserProfile%\Application Data\rhcl5fj0e58c
• %UserProfile%\Application Data\rhcl5fj0e58c\Quarantine
• %UserProfile%\Application Data\rhcl5fj0e58c\Quarantine\Autorun
• %UserProfile%\Application Data\rhcl5fj0e58c\Quarantine\Autorun\HKCU
• %UserProfile%\Application Data\rhcl5fj0e58c\Quarantine\Autorun\HKCU\RunOnce
• %UserProfile%\Application Data\rhcl5fj0e58c\Quarantine\Autorun\HKLM
• %UserProfile%\Application Data\rhcl5fj0e58c\Quarantine\Autorun\HKLM\RunOnce
• %UserProfile%\Application Data\rhcl5fj0e58c\Quarantine\Autorun\StartMenuAllUsers
• %UserProfile%\ApplicationData\rhcl5fj0e58c\Quarantine\Autorun\StartMenuCurrentUser
• %UserProfile%\Application Data\rhcl5fj0e58c\Quarantine\BrowserObjects
• %UserProfile%\Application Data\rhcl5fj0e58c\Quarantine\Packages

Note:
%UserProfile% is a variable location and refers to the user's profile folder.

The trojan monitors Internet Explorer and shows the following alert page when one of the following sites are accessed.

This redirects to the url "http://www.malwareprotector2008.com"

site list

• 56.com
• about.com
• adobe.com
• adultfriendfinder.com
• amazon.com
• aol.com
• apple.com
• blogger.com
• craigslist.com
• deviantart.com
• download.com
• ebay.com
• facebook.com
• flickr.com
• friendster.com
• gamespot.com
• geocities.com
• go.com
• google
• google.com
• hi5.com
• imagevenue.com
• imdb.com
• live.com
• livejournal.com
• mac.com
• mediafire.com
• megaupload.com
• microsoft.com
• mininova.com
• msn.com
• myspace.com
• nytimes.com
• orkut.com
• partypoker.com
• photobucket.com
• rapidshare.com
• redtube.com
• skyrock.com
• tinyurl.com
• wikipedia.org
• wordpress.com
• yahoo.com
• youporn.com
• yourfilehost.com
  

Symptoms

Symptoms -

• Presence of the mentioned files and registry keys.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A