McAfee > Theat Center > Virus Detail Page

Overview

Characteristics

Upon execution, the trojan creates the following folders:
C:\Documents and Settings\All Users\Start Menu\PAV
C:\Program Files\Common Files\Uninstall
C:\Program Files\PAV

It drops the following file:
%SYSTEM32%\winexplorer.dll

And copies itself to :
C:\Program Files\PAV\pav.exe

It creates the shortcut:
%DESKTOP%\Personal Antivirus.lnk

Adds the following registry keys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2E59498D-7E44-4452-9044-0973B080B9E8}\InprocServer32\: "%SYSTEM32%\winexplorer.dll"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PAV: "C:\Program Files\PAV\pav.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\19ADC30210AE29A7A6FB25B9B0367195\cczcqfvj: "[remove]"
• KEY_LOCAL_MACHINE\SOFTWARE\19ADC30210AE29A7A6FB25B9B0367195\knvqiet: "[remove]"
• HKEY_LOCAL_MACHINE\SOFTWARE\19ADC30210AE29A7A6FB25B9B0367195\knvvpggkxpso: [remove]
• HKEY_LOCAL_MACHINE\SOFTWARE\19ADC30210AE29A7A6FB25B9B0367195\knvymj: "By:kHYjZ@cBKD"
• HKEY_LOCAL_MACHINE\SOFTWARE\19ADC30210AE29A7A6FB25B9B0367195\fgxdapk: "=gFlEnjor!!"
• HKEY_LOCAL_MACHINE\SOFTWARE\19ADC30210AE29A7A6FB25B9B0367195\cnefijtol:
• HKEY_LOCAL_MACHINE\SOFTWARE\19ADC30210AE29A7A6FB25B9B0367195\vyycwhvrjt: ";r>LEaVkEdfmDP>]A:V\=c^fb!!"
• HKEY_LOCAL_MACHINE\SOFTWARE\19ADC30210AE29A7A6FB25B9B0367195\vyycvshbnpzo: "?yBM=db:CnR;@a^;Ia>l:]:PU!!"
  HKEY_LOCAL_MACHINE\SOFTWARE\19ADC30210AE29A7A6FB25B9B0367195\slycidaeybk: "DE^L;;JKC]Bl>gF;?CnjG^rS:!!"
• HKEY_LOCAL_MACHINE\SOFTWARE\19ADC30210AE29A7A6FB25B9B0367195\knvsilw: "Ne;@M"
• HKEY_LOCAL_MACHINE\SOFTWARE\19ADC30210AE29A7A6FB25B9B0367195\pgxbbdje: "FNjJ^!!"
• HKEY_LOCAL_MACHINE\SOFTWARE\19ADC30210AE29A7A6FB25B9B0367195\vyycuupe: "H?b_o!!"
• HKEY_LOCAL_MACHINE\SOFTWARE\19ADC30210AE29A7A6FB25B9B0367195\jqmxlmav: "H=;>JOW?OSs@WoW?>Z?@Y"
• HKEY_LOCAL_MACHINE\SOFTWARE\19ADC30210AE29A7A6FB25B9B0367195\slliqdtj: "[remove]

The trojan scans the compromised machine and reports fake alerts to entice the users into buying their product.

The trojan attempts to connects to the following remote servers:

• securedliveuploads.com
• protectionupdatecenter.com

Symptoms

Presence of the files and registry keys described above

unexpected network traffic

presence of the described windows

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

-

Variants

Variants

N/A

All Information

Overview -

FakeAlert-PersonalAV trojan  is a trojan that displays fake alerts to entice the user into buying Antivirus product.

Characteristics

Characteristics -

Upon execution, the trojan creates the following folders:
C:\Documents and Settings\All Users\Start Menu\PAV
C:\Program Files\Common Files\Uninstall
C:\Program Files\PAV

It drops the following file:
%SYSTEM32%\winexplorer.dll

And copies itself to :
C:\Program Files\PAV\pav.exe

It creates the shortcut:
%DESKTOP%\Personal Antivirus.lnk

Adds the following registry keys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2E59498D-7E44-4452-9044-0973B080B9E8}\InprocServer32\: "%SYSTEM32%\winexplorer.dll"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PAV: "C:\Program Files\PAV\pav.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\19ADC30210AE29A7A6FB25B9B0367195\cczcqfvj: "[remove]"
• KEY_LOCAL_MACHINE\SOFTWARE\19ADC30210AE29A7A6FB25B9B0367195\knvqiet: "[remove]"
• HKEY_LOCAL_MACHINE\SOFTWARE\19ADC30210AE29A7A6FB25B9B0367195\knvvpggkxpso: [remove]
• HKEY_LOCAL_MACHINE\SOFTWARE\19ADC30210AE29A7A6FB25B9B0367195\knvymj: "By:kHYjZ@cBKD"
• HKEY_LOCAL_MACHINE\SOFTWARE\19ADC30210AE29A7A6FB25B9B0367195\fgxdapk: "=gFlEnjor!!"
• HKEY_LOCAL_MACHINE\SOFTWARE\19ADC30210AE29A7A6FB25B9B0367195\cnefijtol:
• HKEY_LOCAL_MACHINE\SOFTWARE\19ADC30210AE29A7A6FB25B9B0367195\vyycwhvrjt: ";r>LEaVkEdfmDP>]A:V\=c^fb!!"
• HKEY_LOCAL_MACHINE\SOFTWARE\19ADC30210AE29A7A6FB25B9B0367195\vyycvshbnpzo: "?yBM=db:CnR;@a^;Ia>l:]:PU!!"
  HKEY_LOCAL_MACHINE\SOFTWARE\19ADC30210AE29A7A6FB25B9B0367195\slycidaeybk: "DE^L;;JKC]Bl>gF;?CnjG^rS:!!"
• HKEY_LOCAL_MACHINE\SOFTWARE\19ADC30210AE29A7A6FB25B9B0367195\knvsilw: "Ne;@M"
• HKEY_LOCAL_MACHINE\SOFTWARE\19ADC30210AE29A7A6FB25B9B0367195\pgxbbdje: "FNjJ^!!"
• HKEY_LOCAL_MACHINE\SOFTWARE\19ADC30210AE29A7A6FB25B9B0367195\vyycuupe: "H?b_o!!"
• HKEY_LOCAL_MACHINE\SOFTWARE\19ADC30210AE29A7A6FB25B9B0367195\jqmxlmav: "H=;>JOW?OSs@WoW?>Z?@Y"
• HKEY_LOCAL_MACHINE\SOFTWARE\19ADC30210AE29A7A6FB25B9B0367195\slliqdtj: "[remove]

The trojan scans the compromised machine and reports fake alerts to entice the users into buying their product.

The trojan attempts to connects to the following remote servers:

• securedliveuploads.com
• protectionupdatecenter.com

Symptoms

Symptoms -

Presence of the files and registry keys described above

unexpected network traffic

presence of the described windows

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

-

Variants

Variants -

N/A