McAfee > Theat Center > Virus Detail Page

Overview

This is a detection for a trojan that displays misleading alerts to entice the user into buying a product to "repair" malware problems. This trojan may masquerade its malicious behavior, and victims are likely to have installed it thinking it is an antivirus program.

Aliases

• AntiVirus2008 (Symantec)

• FraudTool.Win32.PowerAntivirus2009.bi (Kaspersky)

• Trojan.FakeAV.DB (SOFTWIN)

• Trojan:Win32/FakePowav (Microsoft)

• Win32:FraudTool-GL [Tool] (ALWIL)

Characteristics

On execution, malware.exe creates a folder “Rapid Antivirus” and drops two executables at the following location(s):

%PROGRAMFILES%\Rapid Antivirus\malware.exe
%PROGRAMFILES%\Rapid Antivirus\loader[malware].exe

loader[malware].exe creates a hidden batch script .bat in the same folder which forcefully delete itself and loader[malware].exe.

It also creates two DLL files and its copy at the following location(s):

%SYSTEM32%\dbldrv.dll
%SYSTEM32%\dbxdrv.dll
%SYSTEM32%\loader[malware].exe

It creates following mutex:
“Rapid Antivirus_AppManager_server_mutex”

To start at system startup it adds following entries into the registry:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loader[malware].exe = “%SYSTEM32%\loader[malware].exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loader[malware].exe = “%SYSTEM32%\loader[malware].exe”

The trojan pretends to be running an exaggerated scan on the machine and generate false detection alerts as shown below. This is done to persuade the user into purchasing a full version of Antivirus software “Rapid Antivirus 2.7” to clean the malware that the trojan falsely detected.

It shows legit files being detected as Trojan, Spyware, and Worm as shown below:

If you click on leave button, following window with some warning message is displayed:

On clicking Get Full Version of Rapid Antivirus Now!, it connects to www.rapidantivirus.com and displays following subscription page:

Symptoms

Presence of folders and registry entries mentioned earlier.

Method of Infection

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial.

Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.Distribution channels include IRC, peer-to-peer networks, email, newsgroup postings, etc.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a detection for a trojan that displays misleading alerts to entice the user into buying a product to "repair" malware problems. This trojan may masquerade its malicious behavior, and victims are likely to have installed it thinking it is an antivirus program.

Aliases

• AntiVirus2008 (Symantec)

• FraudTool.Win32.PowerAntivirus2009.bi (Kaspersky)

• Trojan.FakeAV.DB (SOFTWIN)

• Trojan:Win32/FakePowav (Microsoft)

• Win32:FraudTool-GL [Tool] (ALWIL)

Characteristics

Characteristics -

On execution, malware.exe creates a folder “Rapid Antivirus” and drops two executables at the following location(s):

%PROGRAMFILES%\Rapid Antivirus\malware.exe
%PROGRAMFILES%\Rapid Antivirus\loader[malware].exe

loader[malware].exe creates a hidden batch script .bat in the same folder which forcefully delete itself and loader[malware].exe.

It also creates two DLL files and its copy at the following location(s):

%SYSTEM32%\dbldrv.dll
%SYSTEM32%\dbxdrv.dll
%SYSTEM32%\loader[malware].exe

It creates following mutex:
“Rapid Antivirus_AppManager_server_mutex”

To start at system startup it adds following entries into the registry:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loader[malware].exe = “%SYSTEM32%\loader[malware].exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loader[malware].exe = “%SYSTEM32%\loader[malware].exe”

The trojan pretends to be running an exaggerated scan on the machine and generate false detection alerts as shown below. This is done to persuade the user into purchasing a full version of Antivirus software “Rapid Antivirus 2.7” to clean the malware that the trojan falsely detected.

It shows legit files being detected as Trojan, Spyware, and Worm as shown below:

If you click on leave button, following window with some warning message is displayed:

On clicking Get Full Version of Rapid Antivirus Now!, it connects to www.rapidantivirus.com and displays following subscription page:

Symptoms

Symptoms -

Presence of folders and registry entries mentioned earlier.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial.

Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.Distribution channels include IRC, peer-to-peer networks, email, newsgroup postings, etc.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A