Content

FakeAlert-WinwebSecurity

Type
Trojan
SubType
Win32
Discovery Date
12/11/2008
Length
Varies
Minimum DAT
5461 (12/11/2008)
Updated DAT
6422 (07/29/2011)
Minimum Engine
5.2.00
Description Added
12/11/2008
Description Modified
03/09/2010 5:51 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Upon exection the FakeAlert-WinWebSecurity creates the following registry keys:

  • HKEY_USERS\S-1-5-21-602162358-1897051121-839522115-1003_Classes\.exe
  • HKEY_USERS\S-1-5-21-602162358-1897051121-839522115-1003_Classes\secfile
  • HKEY_CURRENT_USER\Software\Classes\.exe
  • HKEY_CURRENT_USER\Software\Classes\secfile
  • HKEY_CLASSES_ROOT\.exe
  • HKEY_CLASSES_ROOT\secfile

The following registry values have been added to the system.

  • [HKEY_CURRENT_USER\Software\Microsoft\Windows "Identity"]
  • Data: 8A, 53, 5C, F6
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile "DisableNotifications"]
  • Data: 01, 00, 00, 00
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile "DoNotAllowExceptions"]
  • Data: 00, 00, 00, 00
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile "EnableFirewall"]
  • Data: 00, 00, 00, 00
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile "DisableNotifications"]
  • Data: 01, 00, 00, 00
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile "DoNotAllowExceptions"]
  • Data: 00, 00, 00, 00
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile "DisableNotifications"]
  • Data: 01, 00, 00, 00
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile "DoNotAllowExceptions"]
  • Data: 00, 00, 00, 00
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile "EnableFirewall"]
  • Data: 00, 00, 00, 00
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile "DisableNotifications"]
  • Data: 01, 00, 00, 00
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile "DoNotAllowExceptions"]
  • Data: 00, 00, 00, 00

The following registry values modified into the system:

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)"]
  • New data: "C:\Documents and Settings\%User%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Intern
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride"]
  • New data: 01, 00, 00, 00
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride"]
  • New data: 01, 00, 00, 00
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess "Start"]
  • New data: 04, 00, 00, 00
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Epoch "Epoch"]
  • New data: 2D, 00, 00, 00
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess "Start"]
  • New data: 04, 00, 00, 00
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch "Epoch"]
  • New data: 2D, 00, 00, 00

The following file(s) are dropped/created by the FakeAlert:

  • c:\Documents and Settings\%User%\Local Settings\Application Data\av.exe (Size: 176,128 bytes)
  • c:\Documents and Settings\%User%\Local Settings\Application Data\B66D8 (Size: 7,296 bytes)

The FakeAlert loads a Security Center as show below, which informs the user that they do not have a Firewall or Anti-Virus. This is a fake Security Center which attempts to trick the user into purchasing the Fake Scanning software.

Once this Security Center has been loaded, the FakeAlert then begins a fake scan of the users hard disk drive and informs the user that their machine is infected with several malware files.

Once the fake scan is complete the following screen is displayed and falsely informs the user that their machine is infected and attempts to trick them into purchasing the software. The FakeAlert switches the position of the “NO” button in a attempt to trick the user into clicking on “YES” to purchase the Fake Alert software.



Once the user closes the Fake Alert, it continually shows a taskbar pop-up message which falsely informs the user that their machine is under attack and needs to be protected.

The following domain(s) may be accessed by the Malware:

  • antivirus-[removed].com
  • livewindowsant[removed].com
  • proantivir[removed].com
  • pro-antivir[removed].com
  • antivirus[removed].com
  • microa-ntvir[removed].com
  • antivirus-[removed].com
  • windows-[removed].com
  • spyware-destroy[removed].com

System changes:

These are general defaults for typical path variables. (Although they may differ, these examples are common.)

%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)

%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)

Symptoms

  • Gives fake alert as if the system is severely infected.
  • Registry modification

    • Method of Infection

    Trojan do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include spam emails, IRC, P2P networks, newsgroup postings, etc.

    Removal

    All Users:

    Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

    1.Disable System Restore (Windows ME/XP only).

    2.Update to current engine and DAT files for detection and removal.

    3.Run a complete system scan.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

    Variants

    Variants

      N/A

    All Information

    Overview -

    This Binary is Trojan Fake alert. As the name, this Trojan gives fake alerts to the compromised user system. And creates a mirage as if the user system is severely affected which is actually not. Then it will give fake balloon tips when clicked it will ask the compromised user to buy fake antivirus software.

    FakeAlert-WinWebSecurity will silently install and run a virus scan on the system. It will falsely claim that it found viruses and will require the user to register the product to clean the system.

    Aliases

    • Downloader.MisleadApp (Symantec)
    • TR/Dldr.FraudLoad.vfgb (AntiVir)
    • Trojan-Downloader.Win32.FraudLoad.vfhq (Kaspersky)

    Characteristics

    Characteristics -

    Upon exection the FakeAlert-WinWebSecurity creates the following registry keys:

    • HKEY_USERS\S-1-5-21-602162358-1897051121-839522115-1003_Classes\.exe
    • HKEY_USERS\S-1-5-21-602162358-1897051121-839522115-1003_Classes\secfile
    • HKEY_CURRENT_USER\Software\Classes\.exe
    • HKEY_CURRENT_USER\Software\Classes\secfile
    • HKEY_CLASSES_ROOT\.exe
    • HKEY_CLASSES_ROOT\secfile

    The following registry values have been added to the system.

    • [HKEY_CURRENT_USER\Software\Microsoft\Windows "Identity"]
    • Data: 8A, 53, 5C, F6
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile "DisableNotifications"]
    • Data: 01, 00, 00, 00
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile "DoNotAllowExceptions"]
    • Data: 00, 00, 00, 00
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile "EnableFirewall"]
    • Data: 00, 00, 00, 00
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile "DisableNotifications"]
    • Data: 01, 00, 00, 00
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile "DoNotAllowExceptions"]
    • Data: 00, 00, 00, 00
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile "DisableNotifications"]
    • Data: 01, 00, 00, 00
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile "DoNotAllowExceptions"]
    • Data: 00, 00, 00, 00
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile "EnableFirewall"]
    • Data: 00, 00, 00, 00
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile "DisableNotifications"]
    • Data: 01, 00, 00, 00
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile "DoNotAllowExceptions"]
    • Data: 00, 00, 00, 00

    The following registry values modified into the system:

    • [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)"]
    • New data: "C:\Documents and Settings\%User%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Intern
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride"]
    • New data: 01, 00, 00, 00
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride"]
    • New data: 01, 00, 00, 00
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess "Start"]
    • New data: 04, 00, 00, 00
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Epoch "Epoch"]
    • New data: 2D, 00, 00, 00
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess "Start"]
    • New data: 04, 00, 00, 00
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch "Epoch"]
    • New data: 2D, 00, 00, 00

    The following file(s) are dropped/created by the FakeAlert:

    • c:\Documents and Settings\%User%\Local Settings\Application Data\av.exe (Size: 176,128 bytes)
    • c:\Documents and Settings\%User%\Local Settings\Application Data\B66D8 (Size: 7,296 bytes)

    The FakeAlert loads a Security Center as show below, which informs the user that they do not have a Firewall or Anti-Virus. This is a fake Security Center which attempts to trick the user into purchasing the Fake Scanning software.

    Once this Security Center has been loaded, the FakeAlert then begins a fake scan of the users hard disk drive and informs the user that their machine is infected with several malware files.

    Once the fake scan is complete the following screen is displayed and falsely informs the user that their machine is infected and attempts to trick them into purchasing the software. The FakeAlert switches the position of the “NO” button in a attempt to trick the user into clicking on “YES” to purchase the Fake Alert software.



    Once the user closes the Fake Alert, it continually shows a taskbar pop-up message which falsely informs the user that their machine is under attack and needs to be protected.

    The following domain(s) may be accessed by the Malware:

    • antivirus-[removed].com
    • livewindowsant[removed].com
    • proantivir[removed].com
    • pro-antivir[removed].com
    • antivirus[removed].com
    • microa-ntvir[removed].com
    • antivirus-[removed].com
    • windows-[removed].com
    • spyware-destroy[removed].com

    System changes:

    These are general defaults for typical path variables. (Although they may differ, these examples are common.)

    %WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)

    %SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)

    Symptoms

    Symptoms -

  • Gives fake alert as if the system is severely infected.
  • Registry modification

    • Method of Infection

    Method of Infection -

    Trojan do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include spam emails, IRC, P2P networks, newsgroup postings, etc.

    Removal -

    Removal -

    All Users:

    Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

    1.Disable System Restore (Windows ME/XP only).

    2.Update to current engine and DAT files for detection and removal.

    3.Run a complete system scan.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

    Variants

    Variants -

      N/A