Content
FakeAlert-DA
- Type
- Trojan
- SubType
- Win32
- Discovery Date
- 05/22/2009
- Length
- Minimum DAT
- 5623 (05/22/2009)
- Updated DAT
- 5718 (08/23/2009)
- Minimum Engine
- 5.2.00
- Description Added
- 05/22/2009
- Description Modified
- 07/22/2009 11:00 PM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
Overview -
-- Update July 23, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/07/21/andrews_video_malware_ruse/
--
This Trojan is being served by the following URL:
- hxxp://video.report-{blocked}/Erin_Andrews_Peephole_Video
Once user connects to the above site, it will ask the user to download video player to properly play the video and then connects to hxxp://newfileexe.com/streamvie{blocked}.exe to download this Trojan.
Once executed, it connects to the following sites to download files:
- hxxp://isyouimageshere.com/item/2b647e4{blocked}/titem.gif
- hxxp://imgesinstudioonline.com/perce/2b140e{blocked}/qwerce.gif
- hxxp://yourimagesstudio.com/werber/{blocked}/217.gif
The downloaded files are actually images files. However embedded on these GIF files are encrypted malware executables detected as FakeAlert-EL.
Once this Trojan downloads these images, it extracts the malicious files into Temp folder and executes it.
It saves the extracted files as:
- %Temp%\a.exe
- %Temp%\b.exe
- %Temp%\c.exe
Note: %temp% is Windows Temp folder
Symptoms
Presence of the mentioned files
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
Overview -
-- Update July 23, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/07/21/andrews_video_malware_ruse/
--
This is a detection for a Trojan Downloader for other FakeAlert variants.
Characteristics
Characteristics -
Overview -
-- Update July 23, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/07/21/andrews_video_malware_ruse/
--
This Trojan is being served by the following URL:
- hxxp://video.report-{blocked}/Erin_Andrews_Peephole_Video
Once user connects to the above site, it will ask the user to download video player to properly play the video and then connects to hxxp://newfileexe.com/streamvie{blocked}.exe to download this Trojan.
Once executed, it connects to the following sites to download files:
- hxxp://isyouimageshere.com/item/2b647e4{blocked}/titem.gif
- hxxp://imgesinstudioonline.com/perce/2b140e{blocked}/qwerce.gif
- hxxp://yourimagesstudio.com/werber/{blocked}/217.gif
The downloaded files are actually images files. However embedded on these GIF files are encrypted malware executables detected as FakeAlert-EL.
Once this Trojan downloads these images, it extracts the malicious files into Temp folder and executes it.
It saves the extracted files as:
- %Temp%\a.exe
- %Temp%\b.exe
- %Temp%\c.exe
Note: %temp% is Windows Temp folder
Symptoms
Symptoms -
Presence of the mentioned files
Method of Infection
Method of Infection -
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
