Content

FakeAlert-SpywareProtect

Type
Trojan
SubType
FakeAlert
Discovery Date
03/20/2009
Length
Varies
Minimum DAT
5559 (03/20/2009)
Updated DAT
6408 (07/15/2011)
Minimum Engine
5.4.00
Description Added
03/20/2009
Description Modified
05/27/2010 2:55 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

When executed, this malware drops the following files:

%Windir%\sysguard.exe [Detected as FakeAlert-SpywareProtect]

It then modifies the host file located in "%System%\drivers\etc\hosts" with the following URL to IP mappings:

  • 91.212.65.122 browser-security.microsoft.com
  • 91.212.65.122 spyware-protector-2009.com
  • 91.212.65.122 www.spyware-protector-2009.com
  • 91.212.65.122 secure.spyware-protector-2009.com
  • 91.212.65.122 knocker

This is done to ensure that any attempts to connect to the above sites, will be redirected to the IP addresses entered instead.

Note:

  • %Windir% is a variable location and refers to the Windows folder. By default, this is C:\Windows [Windows XP]
  • %System% is a variable location and refers to the System folder. By default, this is C:\Windows\System32 [Windows XP]


It also creates the following registry entries:

  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    system tool = "%Windir%\sysguard.exe"

This ensures that the malware runs every time Windows starts.

The malware also attempts to connect to the following URLs on port 80:

  • http://91.212.65.122[Removed]
  • http://knocker[Removed]

This is done to download newer versions of the malware from this site.

The malware then runs an exaggerated scan on the machine and generates false detection alerts. This is done to persuade the user into purchasing a full version of the software to clean the malware that the malware falsely detected.

In the screenshots provided below, we can see that the malware generates false detection alerts for fake malware named Win32/Nuqel.E & BankerFox.A:


 


Symptoms

  • Presence of files and registry entries mentioned earlier
  • Presence of fake error messages mentioned earlier

 

 

Method of Infection

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.

Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

Variants

Variants

    N/A

All Information

Overview -

This description is for malware that shows false error messages, misleading spyware scan results, and uses aggressive advertising to persuade the user to purchase it.

The characteristics of this malware with regards to the file names, fake messages dispayed, etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description.

Aliases

  • Adware/TotalSecurity2009 [Panda]
  • AntiVirus2008 [Symantec]
  • Rogue:W32/SpywareGuard2008.G [F-Secure]
  • Troj/FakeAV-OM [Sophos]
  • TROJ_FAKEAV.FXF [TrendMicro]
  • Trojan:Win32/FakeSpypro [Microsoft]
  • Win32/Adware.SpywareProtect2009 [Nod32]
  • Win32/SystemGuard2009.AS [eTrust]

Characteristics

Characteristics -

When executed, this malware drops the following files:

%Windir%\sysguard.exe [Detected as FakeAlert-SpywareProtect]

It then modifies the host file located in "%System%\drivers\etc\hosts" with the following URL to IP mappings:

  • 91.212.65.122 browser-security.microsoft.com
  • 91.212.65.122 spyware-protector-2009.com
  • 91.212.65.122 www.spyware-protector-2009.com
  • 91.212.65.122 secure.spyware-protector-2009.com
  • 91.212.65.122 knocker

This is done to ensure that any attempts to connect to the above sites, will be redirected to the IP addresses entered instead.

Note:

  • %Windir% is a variable location and refers to the Windows folder. By default, this is C:\Windows [Windows XP]
  • %System% is a variable location and refers to the System folder. By default, this is C:\Windows\System32 [Windows XP]


It also creates the following registry entries:

  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    system tool = "%Windir%\sysguard.exe"

This ensures that the malware runs every time Windows starts.

The malware also attempts to connect to the following URLs on port 80:

  • http://91.212.65.122[Removed]
  • http://knocker[Removed]

This is done to download newer versions of the malware from this site.

The malware then runs an exaggerated scan on the machine and generates false detection alerts. This is done to persuade the user into purchasing a full version of the software to clean the malware that the malware falsely detected.

In the screenshots provided below, we can see that the malware generates false detection alerts for fake malware named Win32/Nuqel.E & BankerFox.A:


 


Symptoms

Symptoms -

  • Presence of files and registry entries mentioned earlier
  • Presence of fake error messages mentioned earlier

 

 

Method of Infection

Method of Infection -

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.

Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

Variants

Variants -

    N/A