Content
FakeAlert-WPS
- Type
- Trojan
- SubType
- Win32
- Discovery Date
- 08/19/2009
- Length
- Minimum DAT
- 5714 (08/19/2009)
- Updated DAT
- 5881 (02/03/2010)
- Minimum Engine
- 5.2.00
- Description Added
- 08/19/2009
- Description Modified
- 01/02/2010 6:00 PM (PT)
Tab Navigation
Characteristics
Upon execution, the trojan creates a folder and drop the following files.
%UserProfile%\Application Data\bdc63e5\PCbdc6.exe.
Note:
%UserProfile% is a variable location and refers to the user's profile folder.
It modifies Host file
It modifies the following registry entries
- HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes
- HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- PC Live Guard = %userprofile%\Application Data\bdc63e5\PCbdc6.exe" /s /d
So that it will start on reboot.
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntispywarXP2009.exe
- "Debugger" = svchost.exe
This modification is to prevent specific system tools from running.
It may contact the following sites:
update2.pclive[removed].com
mysecurity[removed].com
Symptoms
Presence of the mentioned files & registry key(s).
Method of Infection
Trojans do not self-replicate. They often arrive as a desirable or intriguing file and conceal their true nature. Common ways to receive a trojan are through newsgroup postings, IRC, peer-to-peer networks, spam, etc.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This is a detection for a trojan that displays misleading fake alerts to entice the user into buying a product to "repair" malware problems. This trojan may masquerade its malicious behavior, and victims are likely to have installed it thinking it is an innocent screensaver program.
Characteristics
Characteristics -
Upon execution, the trojan creates a folder and drop the following files.
%UserProfile%\Application Data\bdc63e5\PCbdc6.exe.
Note:
%UserProfile% is a variable location and refers to the user's profile folder.
It modifies Host file
It modifies the following registry entries
- HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes
- HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- PC Live Guard = %userprofile%\Application Data\bdc63e5\PCbdc6.exe" /s /d
So that it will start on reboot.
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntispywarXP2009.exe
- "Debugger" = svchost.exe
This modification is to prevent specific system tools from running.
It may contact the following sites:
update2.pclive[removed].com
mysecurity[removed].com
Symptoms
Symptoms -
Presence of the mentioned files & registry key(s).
Method of Infection
Method of Infection -
Trojans do not self-replicate. They often arrive as a desirable or intriguing file and conceal their true nature. Common ways to receive a trojan are through newsgroup postings, IRC, peer-to-peer networks, spam, etc.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
