Content

FakeAlert-av360

Type
Trojan
SubType
Win32
Discovery Date
12/18/2008
Length
Minimum DAT
5468 (12/18/2008)
Updated DAT
6287 (03/16/2011)
Minimum Engine
5.2.00
Description Added
12/18/2008
Description Modified
01/26/2009 5:55 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Upon installation, the host will present a window that appears to be a scan. It may appear similar to the one below:

Several other windows may also appear during and after the scan such as:


The following registry keys are created:

  • HKEY_CLASSES_ROOT\CLSID\{0B014B81-4E12-46F9-806F-55867AF8FD3C}
  • HKEY_CLASSES_ROOT\CLSID\{0B014B81-4E12-46F9-806F-55867AF8FD3C}\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\c
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0B014B81-4E12-46F9-806F-55867AF8FD3C}
  • HKEY_CURRENT_USER\Software\E909BA2F623EAF88F07888DEDEFFF781


The following directory is created:

  • %DOCSETTINGS%\Start Menu\A360

The following files are created:

  • %SYSTEM%\ieupdates.exe
  • %SYSTEM%\winsystems.dll
  • %DOCSETTINGS%\Application Data\Microsoft\Internet Explorer\Quick Launch\A360.lnk
  • %DOCSETTINGS%\Desktop\A360.lnk
  • %DOCSETTINGS%\Recent\PrivacyViolationAlert.lnk
  • %DOCSETTINGS%\Recent\ScanScreen.lnk
  • %DOCSETTINGS%\Recent\ThreatsFound.lnk
  • %DOCSETTINGS%\Recent\VulnerableFilesFound.lnk
  • %DOCSETTINGS%\Start Menu\A360\A360.lnk
  • %DOCSETTINGS%\Start Menu\A360\Help.lnk
  • %DOCSETTINGS%\Start Menu\A360\Registration.lnk



Note: %SYSTEM% is a variable location and refers to the windows system directory
          %DOCSETTINGS% is a variable location that refers to the user documents and settings directory.


Communication was observed with the following domains when opening a browser:


  • 78.47.[edited]
  • 64.105[edited]
  • 65.55[edited]
  • 209.84[edited]
  • 91.211[edited]


Upon first running a browser after installation, an error will be displayed similar to the one below:


Symptoms

  • Presence of the afforementioned files and registry entries
  • Unknown communication to afforementioned domains

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

Variants

    N/A

All Information

Overview -

This is a detection for a trojan that displays misleading fake alerts to entice the user into buying a product to "repair" malware problems.

Characteristics

Characteristics -

Upon installation, the host will present a window that appears to be a scan. It may appear similar to the one below:

Several other windows may also appear during and after the scan such as:


The following registry keys are created:

  • HKEY_CLASSES_ROOT\CLSID\{0B014B81-4E12-46F9-806F-55867AF8FD3C}
  • HKEY_CLASSES_ROOT\CLSID\{0B014B81-4E12-46F9-806F-55867AF8FD3C}\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\c
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0B014B81-4E12-46F9-806F-55867AF8FD3C}
  • HKEY_CURRENT_USER\Software\E909BA2F623EAF88F07888DEDEFFF781


The following directory is created:

  • %DOCSETTINGS%\Start Menu\A360

The following files are created:

  • %SYSTEM%\ieupdates.exe
  • %SYSTEM%\winsystems.dll
  • %DOCSETTINGS%\Application Data\Microsoft\Internet Explorer\Quick Launch\A360.lnk
  • %DOCSETTINGS%\Desktop\A360.lnk
  • %DOCSETTINGS%\Recent\PrivacyViolationAlert.lnk
  • %DOCSETTINGS%\Recent\ScanScreen.lnk
  • %DOCSETTINGS%\Recent\ThreatsFound.lnk
  • %DOCSETTINGS%\Recent\VulnerableFilesFound.lnk
  • %DOCSETTINGS%\Start Menu\A360\A360.lnk
  • %DOCSETTINGS%\Start Menu\A360\Help.lnk
  • %DOCSETTINGS%\Start Menu\A360\Registration.lnk



Note: %SYSTEM% is a variable location and refers to the windows system directory
          %DOCSETTINGS% is a variable location that refers to the user documents and settings directory.


Communication was observed with the following domains when opening a browser:


  • 78.47.[edited]
  • 64.105[edited]
  • 65.55[edited]
  • 209.84[edited]
  • 91.211[edited]


Upon first running a browser after installation, an error will be displayed similar to the one below:


Symptoms

Symptoms -

  • Presence of the afforementioned files and registry entries
  • Unknown communication to afforementioned domains

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

Variants -

    N/A