Content

Generic FakeAlert!cr

Type
Trojan
SubType
Discovery Date
10/12/2009
Length
Minimum DAT
5769 (10/12/2009)
Updated DAT
5799 (11/11/2009)
Minimum Engine
5.3.00
Description Added
10/12/2009
Description Modified
10/16/2009 3:52 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

When executed the malware binary displays a fake alert message on the system tray, balloon tip appears which will indicate about the presence of spyware programs present on the system and prompts the user to download Anti Virus Pro 2010.

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p>

<o:p></o:p> 

<o:p>When the user clicks the balloon tip the binary which make an attempt to download a fraud load in this case it will download Anti Virus Pro 2010 which will happen at the background without the user’s intervention. Once that’s done the system will open a GUI which will tell the compromised user that the system has been severely affected by spyware’s and malwares. <o:p></o:p>

 The Fake antivirus software is downloaded to the machine from the following URL:

     

Once the download is complete it will install Anti Virus Pro 2010 and will display fake messages about spyware programs found on the system, which in reality do not exist or are dropped by the software itself and then prompts the user to buy the product.

The following registry keys will be created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntivirusPro_2010<o:p></o:p>
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager<o:p></o:p>
  • HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusPro_2010<o:p></o:p>
  • The following registry entry ensures that Anti Virus Pro 2010 is launched on every reboot.<o:p></o:p>
  • HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<o:p></o:p>
  • Antivirus Pro 2010: "C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe" /hide"<o:p></o:p>
  • When the fake software is installed it makes sure that the any other antivirus software/ Firewall to turn off by the following registry entry.<o:p></o:p>
  • HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify: 0x00000000<o:p></o:p>
  • HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify: 0x00000001<o:p></o:p>
  • HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Security Center\FirewallDisableNotify: 0x00000000<o:p></o:p>
  • HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Security Center\FirewallDisableNotify: 0x00000001<o:p></o:p>
  • HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify: 0x00000000<o:p></o:p>
  • HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify: 0x00000001<o:p></o:p>
<o:p>

The following files have been added to the system:

  • %APPDATA%\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk<o:p></o:p>
  • %APPDATA%\herahupone.scr<o:p></o:p>
  • %APPDATA%\inoxijejyd.lib<o:p></o:p>
  • %APPDATA%\lizkavd.exe<o:p></o:p>
  • %APPDATA%\seres.exe<o:p></o:p>
  • %APPDATA%\svcst.exe<o:p></o:p>
  • %USERPROFILE%\Desktop\AntivirusPro_2010.lnk<o:p></o:p>
  • %APPDATA%\pijyzu.exe<o:p></o:p>
  • %APPDATA%\qenoroge.pif<o:p></o:p>
  • %DOCSETTINGS%\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk<o:p></o:p>
  • %DOCSETTINGS%\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk<o:p></o:p>
  • % PROGRAMFILES %\AntivirusPro_2010\AntivirusPro_2010.cfg<o:p></o:p>
  • % PROGRAMFILES %\AntivirusPro_2010\AntivirusPro_2010.exe<o:p></o:p>
  • (where %PROGRAMFILES% is the Windows program folder e.g. C:\Program Files, %DOCSETTINGS% is the Documents and Settings folder e.g C:\Documents and Setting\username)<o:p></o:p>
  • Following folders were added,<o:p></o:p>
  • %DOCSETTINGS%\\Start Menu\Programs\AntivirusPro_2010<o:p></o:p>
  • % PROGRAMFILES %\\AntivirusPro_2010<o:p></o:p>
  • % PROGRAMFILES %\AntivirusPro_2010\data<o:p></o:p>

<o:p></o:p>

 

</o:p>

Symptoms

  • Fake alert messages appearing about presence of spyware programs.
  • Presence of the file(s) mentioned.
  • Presence of the registry key(s) mentioned.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc. <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p>

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This detection is for a trojan which displays a fake alert message about the presence of spyware on the system and downloads fake Anti-spyware software. <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p>

Characteristics

Characteristics -

When executed the malware binary displays a fake alert message on the system tray, balloon tip appears which will indicate about the presence of spyware programs present on the system and prompts the user to download Anti Virus Pro 2010.

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p>

<o:p></o:p> 

<o:p>When the user clicks the balloon tip the binary which make an attempt to download a fraud load in this case it will download Anti Virus Pro 2010 which will happen at the background without the user’s intervention. Once that’s done the system will open a GUI which will tell the compromised user that the system has been severely affected by spyware’s and malwares. <o:p></o:p>

 The Fake antivirus software is downloaded to the machine from the following URL:

     

Once the download is complete it will install Anti Virus Pro 2010 and will display fake messages about spyware programs found on the system, which in reality do not exist or are dropped by the software itself and then prompts the user to buy the product.

The following registry keys will be created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntivirusPro_2010<o:p></o:p>
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager<o:p></o:p>
  • HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusPro_2010<o:p></o:p>
  • The following registry entry ensures that Anti Virus Pro 2010 is launched on every reboot.<o:p></o:p>
  • HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<o:p></o:p>
  • Antivirus Pro 2010: "C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe" /hide"<o:p></o:p>
  • When the fake software is installed it makes sure that the any other antivirus software/ Firewall to turn off by the following registry entry.<o:p></o:p>
  • HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify: 0x00000000<o:p></o:p>
  • HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify: 0x00000001<o:p></o:p>
  • HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Security Center\FirewallDisableNotify: 0x00000000<o:p></o:p>
  • HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Security Center\FirewallDisableNotify: 0x00000001<o:p></o:p>
  • HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify: 0x00000000<o:p></o:p>
  • HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify: 0x00000001<o:p></o:p>
<o:p>

The following files have been added to the system:

  • %APPDATA%\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk<o:p></o:p>
  • %APPDATA%\herahupone.scr<o:p></o:p>
  • %APPDATA%\inoxijejyd.lib<o:p></o:p>
  • %APPDATA%\lizkavd.exe<o:p></o:p>
  • %APPDATA%\seres.exe<o:p></o:p>
  • %APPDATA%\svcst.exe<o:p></o:p>
  • %USERPROFILE%\Desktop\AntivirusPro_2010.lnk<o:p></o:p>
  • %APPDATA%\pijyzu.exe<o:p></o:p>
  • %APPDATA%\qenoroge.pif<o:p></o:p>
  • %DOCSETTINGS%\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk<o:p></o:p>
  • %DOCSETTINGS%\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk<o:p></o:p>
  • % PROGRAMFILES %\AntivirusPro_2010\AntivirusPro_2010.cfg<o:p></o:p>
  • % PROGRAMFILES %\AntivirusPro_2010\AntivirusPro_2010.exe<o:p></o:p>
  • (where %PROGRAMFILES% is the Windows program folder e.g. C:\Program Files, %DOCSETTINGS% is the Documents and Settings folder e.g C:\Documents and Setting\username)<o:p></o:p>
  • Following folders were added,<o:p></o:p>
  • %DOCSETTINGS%\\Start Menu\Programs\AntivirusPro_2010<o:p></o:p>
  • % PROGRAMFILES %\\AntivirusPro_2010<o:p></o:p>
  • % PROGRAMFILES %\AntivirusPro_2010\data<o:p></o:p>

<o:p></o:p>

 

</o:p>

Symptoms

Symptoms -

  • Fake alert messages appearing about presence of spyware programs.
  • Presence of the file(s) mentioned.
  • Presence of the registry key(s) mentioned.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc. <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p>

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A