Content

Generic FakeAlert!cr

Type
Trojan
SubType
FakeAlert
Discovery Date
10/12/2009
Length
Varies
Minimum DAT
5769 (10/12/2009)
Updated DAT
6422 (07/29/2011)
Minimum Engine
5.3.00
Description Added
10/12/2009
Description Modified
08/12/2010 4:57 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

------ Updated August 13, 2010 ------

Overview

FakeAlert-SpyPro.gen.p shows a fake warning message alarming the user, that their machine is infected or at risk. The intention behind all the fake messages is drive users to buy the advertised antispyware product.

File Information:

  • MD5 - 11C87FF051AD39BC22BE0C919A9BB062
  • SHA1 - 78B248944F04922F42D78C2C8E958AF37A023926

Aliases:
  • Symantec : Trojan.FakeAV!gen27
  • Avast : Win32:FakeAlert-NT [Trj]
  • Sunbelt : FraudTool.Win32.SecurityTool (v)

Characteristics

This is detection for a Trojan that displays misleading fake alerts to entice the user into buying a product to "repair" malware problems.

The malware binary displays a fake alert message on the system tray. A balloon tip appears which will indicate the user about the presence of malicious infections in the system and then it will open a GUI which will inform the compromised user that the system has been severely infected by computer viruses.

          

The Trojan prevents important executables from running (e.g: mspaint.exe, calc.exe, notepad.exe) and fakes the compromised user as they are infected.

          

The malware binary displays the above mentioned warning when the compromised user opens notepad.exe.

When the compromised user clicks "YES" it will redirect the user to the following websites which will prompt the user to buy the fake software to clean the infection.

  • 178-32-[removed]sufi.com using remote port 80
  • Bill[removed]y.com using remote port 80

        

When executed, the Trojan copies itself into the following location:
  • %AppData%\8479847.exe

The following file has been added to the system:
  • %StartMenu%\Programs\Security Tool.lnk

The following registry key has been added to the system:
  • HKEY_USERS\S-1-5-(Varies)\Software\Microsoft\Windows\CurrentVersion\RunOnce

The following registry value has been added to the system:
  • [HKEY_USERS\S-1-5-(Varies)\Software\Microsoft\Windows\CurrentVersion\RunOnce\]
    8479847:="%AppData%\8479847.exe" 0 21 "

The above mentioned registry confirms that, the Trojan executes every time when windows starts.

[Where  %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data, %StartMenu% - C:\Documents and Settings\[UserName]\Start Menu]

Symptoms

    Gives fake alert as if the system is severely infected.
  • Registry modification.
  • Tricks the user and prompts them to buy the fake antivirus software.

                                                ---------------------------

 

When executed the malware binary displays a fake alert message on the system tray, balloon tip appears which will indicate about the presence of spyware programs present on the system and prompts the user to download Anti Virus Pro 2010.

When the user clicks the balloon tip the binary which make an attempt to download a fraud load in this case it will download Anti Virus Pro 2010 which will happen at the background without the user’s intervention. Once that’s done the system will open a GUI which will tell the compromised user that the system has been severely affected by spyware’s and malwares.

 The Fake antivirus software is downloaded to the machine from the following URL:
     

Once the download is complete it will install Anti Virus Pro 2010 and will display fake messages about spyware programs found on the system, which in reality do not exist or are dropped by the software itself and then prompts the user to buy the product.

The following registry keys will be created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntivirusPro_2010<?xml:namespace prefix = o /><o:p></o:p>
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
  • HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusPro_2010

The following registry entry ensures that Anti Virus Pro 2010 is launched on every reboot

  • HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Antivirus Pro 2010: "C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe" /hide"

When the fake software is installed it makes sure that the any other antivirus software/ Firewall to turn off by the following registry entry.

  • HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify: 0x00000001
  • HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Security Center\FirewallDisableNotify: 0x00000001
  • HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify: 0x00000001

The following files have been added to the system:

  • %APPDATA%\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk<o:p></o:p>
  • %APPDATA%\herahupone.scr
  • %APPDATA%\inoxijejyd.lib
  • %APPDATA%\lizkavd.exe
  • %APPDATA%\seres.exe
  • %APPDATA%\svcst.exe
  • %USERPROFILE%\Desktop\AntivirusPro_2010.lnk
  • %APPDATA%\pijyzu.exe
  • %APPDATA%\qenoroge.pif
  • %DOCSETTINGS%\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
  • %DOCSETTINGS%\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
  • % PROGRAMFILES %\AntivirusPro_2010\AntivirusPro_2010.cfg
  • % PROGRAMFILES %\AntivirusPro_2010\AntivirusPro_2010.exe

(where %PROGRAMFILES% is the Windows program folder e.g. C:\Program Files, %DOCSETTINGS% is the Documents and Settings folder e.g C:\Documents and Setting\username)

Following folders were added

  • %DOCSETTINGS%\Start Menu\Programs\AntivirusPro_2010
  • % PROGRAMFILES%\AntivirusPro_2010
  • % PROGRAMFILES%\AntivirusPro_2010\data

Symptoms

  • Fake alert messages appearing about presence of spyware programs.
  • Presence of the file(s) mentioned.
  • Presence of the registry key(s) mentioned.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc. <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p>

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

Variants

    N/A

All Information

Overview -

This detection is for a trojan which displays a fake alert message about the presence of spyware on the system and downloads fake Anti-spyware software. <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p>

Characteristics

Characteristics -

------ Updated August 13, 2010 ------

Overview

FakeAlert-SpyPro.gen.p shows a fake warning message alarming the user, that their machine is infected or at risk. The intention behind all the fake messages is drive users to buy the advertised antispyware product.

File Information:

  • MD5 - 11C87FF051AD39BC22BE0C919A9BB062
  • SHA1 - 78B248944F04922F42D78C2C8E958AF37A023926

Aliases:
  • Symantec : Trojan.FakeAV!gen27
  • Avast : Win32:FakeAlert-NT [Trj]
  • Sunbelt : FraudTool.Win32.SecurityTool (v)

Characteristics

This is detection for a Trojan that displays misleading fake alerts to entice the user into buying a product to "repair" malware problems.

The malware binary displays a fake alert message on the system tray. A balloon tip appears which will indicate the user about the presence of malicious infections in the system and then it will open a GUI which will inform the compromised user that the system has been severely infected by computer viruses.

          

The Trojan prevents important executables from running (e.g: mspaint.exe, calc.exe, notepad.exe) and fakes the compromised user as they are infected.

          

The malware binary displays the above mentioned warning when the compromised user opens notepad.exe.

When the compromised user clicks "YES" it will redirect the user to the following websites which will prompt the user to buy the fake software to clean the infection.

  • 178-32-[removed]sufi.com using remote port 80
  • Bill[removed]y.com using remote port 80

        

When executed, the Trojan copies itself into the following location:
  • %AppData%\8479847.exe

The following file has been added to the system:
  • %StartMenu%\Programs\Security Tool.lnk

The following registry key has been added to the system:
  • HKEY_USERS\S-1-5-(Varies)\Software\Microsoft\Windows\CurrentVersion\RunOnce

The following registry value has been added to the system:
  • [HKEY_USERS\S-1-5-(Varies)\Software\Microsoft\Windows\CurrentVersion\RunOnce\]
    8479847:="%AppData%\8479847.exe" 0 21 "

The above mentioned registry confirms that, the Trojan executes every time when windows starts.

[Where  %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data, %StartMenu% - C:\Documents and Settings\[UserName]\Start Menu]

Symptoms

    Gives fake alert as if the system is severely infected.
  • Registry modification.
  • Tricks the user and prompts them to buy the fake antivirus software.

                                                ---------------------------

 

When executed the malware binary displays a fake alert message on the system tray, balloon tip appears which will indicate about the presence of spyware programs present on the system and prompts the user to download Anti Virus Pro 2010.

When the user clicks the balloon tip the binary which make an attempt to download a fraud load in this case it will download Anti Virus Pro 2010 which will happen at the background without the user’s intervention. Once that’s done the system will open a GUI which will tell the compromised user that the system has been severely affected by spyware’s and malwares.

 The Fake antivirus software is downloaded to the machine from the following URL:
     

Once the download is complete it will install Anti Virus Pro 2010 and will display fake messages about spyware programs found on the system, which in reality do not exist or are dropped by the software itself and then prompts the user to buy the product.

The following registry keys will be created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntivirusPro_2010<?xml:namespace prefix = o /><o:p></o:p>
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
  • HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusPro_2010

The following registry entry ensures that Anti Virus Pro 2010 is launched on every reboot

  • HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Antivirus Pro 2010: "C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe" /hide"

When the fake software is installed it makes sure that the any other antivirus software/ Firewall to turn off by the following registry entry.

  • HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify: 0x00000001
  • HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Security Center\FirewallDisableNotify: 0x00000001
  • HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify: 0x00000001

The following files have been added to the system:

  • %APPDATA%\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk<o:p></o:p>
  • %APPDATA%\herahupone.scr
  • %APPDATA%\inoxijejyd.lib
  • %APPDATA%\lizkavd.exe
  • %APPDATA%\seres.exe
  • %APPDATA%\svcst.exe
  • %USERPROFILE%\Desktop\AntivirusPro_2010.lnk
  • %APPDATA%\pijyzu.exe
  • %APPDATA%\qenoroge.pif
  • %DOCSETTINGS%\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
  • %DOCSETTINGS%\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
  • % PROGRAMFILES %\AntivirusPro_2010\AntivirusPro_2010.cfg
  • % PROGRAMFILES %\AntivirusPro_2010\AntivirusPro_2010.exe

(where %PROGRAMFILES% is the Windows program folder e.g. C:\Program Files, %DOCSETTINGS% is the Documents and Settings folder e.g C:\Documents and Setting\username)

Following folders were added

  • %DOCSETTINGS%\Start Menu\Programs\AntivirusPro_2010
  • % PROGRAMFILES%\AntivirusPro_2010
  • % PROGRAMFILES%\AntivirusPro_2010\data

Symptoms

Symptoms -

  • Fake alert messages appearing about presence of spyware programs.
  • Presence of the file(s) mentioned.
  • Presence of the registry key(s) mentioned.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc. <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p>

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

Variants -

    N/A