McAfee > Theat Center > Virus Detail Page

Overview

Characteristics

This Trojan can be downloaded from the following URL:

• hxxp://allowedwebsurfing.com/download.php?affid=00000
• hxxp://trustedwebsecurity.com/download.php?affid=00000

Upon execution, the Trojan drops the following files:

• %ALL_USERS_PROFILE% \[Random Numbers]\[Random Numbers].exe - detected as FakeAlert-CO
• %ALL_USERS_PROFILE% \[Random Numbers]\[Random Numbers].glu
• %ALL_USERS_PROFILE% \[Random Numbers]\pc[Random Numbers]cnf
• %ALL_USERS_PROFILE% \[Random Numbers]\pc[Random Numbers]ins

(where %ALL_USERS_PROFILE% is the default all users profile folder, for example C:\Documents and Settings\All Users)

The following registry entry is added as its autostart:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

[Random Numbers] = %ALL_USERS_PROFILE% \[Random Numbers]\[Random Numbers].exe

Then, it can either terminate all running process except System Processes and Services or may prompt for machine reboot.

Either way, it will then perform fake system scan and report false and exaggerated threat.

User won't be able to open or execute any application unless user will activate and buy the rouge antivirus program.

It will also show a balloon message indicating files that are infected or corrupted.

Symptoms

Presence of the afforementioned files and registry entries

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a detection for a trojan that displays misleading fake alerts to entice the user into buying a product.

Characteristics

Characteristics -

This Trojan can be downloaded from the following URL:

• hxxp://allowedwebsurfing.com/download.php?affid=00000
• hxxp://trustedwebsecurity.com/download.php?affid=00000

Upon execution, the Trojan drops the following files:

• %ALL_USERS_PROFILE% \[Random Numbers]\[Random Numbers].exe - detected as FakeAlert-CO
• %ALL_USERS_PROFILE% \[Random Numbers]\[Random Numbers].glu
• %ALL_USERS_PROFILE% \[Random Numbers]\pc[Random Numbers]cnf
• %ALL_USERS_PROFILE% \[Random Numbers]\pc[Random Numbers]ins

(where %ALL_USERS_PROFILE% is the default all users profile folder, for example C:\Documents and Settings\All Users)

The following registry entry is added as its autostart:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

[Random Numbers] = %ALL_USERS_PROFILE% \[Random Numbers]\[Random Numbers].exe

Then, it can either terminate all running process except System Processes and Services or may prompt for machine reboot.

Either way, it will then perform fake system scan and report false and exaggerated threat.

User won't be able to open or execute any application unless user will activate and buy the rouge antivirus program.

It will also show a balloon message indicating files that are infected or corrupted.

Symptoms

Symptoms -

Presence of the afforementioned files and registry entries

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A