McAfee > Theat Center > Virus Detail Page

Overview

FakeAlert-MaCatte is a detection for a trojan that mimics the oringinal McAfee Security Centre product. It displays fake alerts to trick the user into buying the rogue AV product for non-existant malware infections on the compromised system. This rogue security product pops up messages of arbitary files being infected and prompts the victim to remove all the malicious files (actually clean files).

Aliases

• AntiVirus2009 [Symantec]

• RogueAntiSpyware.AntiVirus2009 [PC Tools]

• Trojan.Crypt [Ikarus]

• Trojan:Win32/FakeXPA [Microsoft]

Characteristics

The trojan creates following folders & files

C:\Program Files\msca\
C:\Program Files\msca\msc.exe
C:\Program Files\msca\msca.ico
C:\Program Files\msca\mstdl.exe
C:\Program Files\msca\Viruses.dat

C:\Documents and Settings\All Users\Application Data\msca
C:\Documents and Settings\All Users\Application Data\msca\msca.ico
C:\Documents and Settings\All Users\Application Data\msca\mcull.exe
C:\Documents and Settings\All Users\Application Data\msca\msc.exe
C:\Documents and Settings\All Users\Application Data\msca\Viruses.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Media\WPtect.dll
C:\Documents and Settings\All Users\Desktop\msca.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\msca
C:\Documents and Settings\All Users\Start Menu\Programs\msca\msca.lnk
C:\Documents and Settings\All Users\Desktop\Macatt Sec1.jpg
C:\Documents and Settings\All Users\Desktop\Macatt Sec2.jpg
C:\Documents and Settings\All Users\Desktop\Macatt Sec3.jpg
C:\Documents and Settings%UserProfile%Local Settings\Temp\~DFA3DA.tmp\mac.exe

Note:
%UserProfile% is a variable location and refers to the user's profile folder.

It modifies the following registry keys :

• HKEY_CURRENT_USER\Software\msca

• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{459b6bf8-5320-4c41-8833- 85baedf31086}

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser HelperObjects\{A73890FC-177F-4198-AE3D-C64F7D9E69D8}

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{459b 6bf8-5320-4c41-8833-85baedf31086}

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{459b6bf8532-4c41-8833-85baedf31086}

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{459b6bf8-5320-4c41-8833-85baedf31086}

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\{459b6bf8-5320-4c41-8833-85baedf31086}

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce “msca”

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “wsc”

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “msc”

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\msca

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPost “0″

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect “0″

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonBadCertRecving “0″

The trojan uses the browser such as Internet Explorer to connect to the malicious website xxx.macatte.xxxx. (Now a broken link)

Symptoms

* It displays fake warning messages and “Safety Center Alert ” popups alerts.

* It flashes icons that appear on your system tray.

* Hijacked homepage to unknown webpage that again is a mimic of McAfee site.MaCatte Antivirus 2009 will block currently installed or downloaded anti-virus software. It will hijack your web browser and redirect you to various misleading websites including the rogue program homepage www.macatte.com (now a broken link).

* MaCatte Antivirus will be configured to start automatically when you boot up Windows. Once started, it will scan your computer and then display numerous infections, but will not remove them until you first purchase the program.

 

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

Use current engine and DAT files for detection and removal.Removal requires removing the entry in the SYSTEM.INI file and restart to MS-DOS mode to delete the file manually from the Windows and Windows\System folders.

Variants

Variants

N/A

All Information

Overview -

FakeAlert-MaCatte is a detection for a trojan that mimics the oringinal McAfee Security Centre product. It displays fake alerts to trick the user into buying the rogue AV product for non-existant malware infections on the compromised system. This rogue security product pops up messages of arbitary files being infected and prompts the victim to remove all the malicious files (actually clean files).

Aliases

• AntiVirus2009 [Symantec]

• RogueAntiSpyware.AntiVirus2009 [PC Tools]

• Trojan.Crypt [Ikarus]

• Trojan:Win32/FakeXPA [Microsoft]

Characteristics

Characteristics -

The trojan creates following folders & files

C:\Program Files\msca\
C:\Program Files\msca\msc.exe
C:\Program Files\msca\msca.ico
C:\Program Files\msca\mstdl.exe
C:\Program Files\msca\Viruses.dat

C:\Documents and Settings\All Users\Application Data\msca
C:\Documents and Settings\All Users\Application Data\msca\msca.ico
C:\Documents and Settings\All Users\Application Data\msca\mcull.exe
C:\Documents and Settings\All Users\Application Data\msca\msc.exe
C:\Documents and Settings\All Users\Application Data\msca\Viruses.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Media\WPtect.dll
C:\Documents and Settings\All Users\Desktop\msca.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\msca
C:\Documents and Settings\All Users\Start Menu\Programs\msca\msca.lnk
C:\Documents and Settings\All Users\Desktop\Macatt Sec1.jpg
C:\Documents and Settings\All Users\Desktop\Macatt Sec2.jpg
C:\Documents and Settings\All Users\Desktop\Macatt Sec3.jpg
C:\Documents and Settings%UserProfile%Local Settings\Temp\~DFA3DA.tmp\mac.exe

Note:
%UserProfile% is a variable location and refers to the user's profile folder.

It modifies the following registry keys :

• HKEY_CURRENT_USER\Software\msca

• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{459b6bf8-5320-4c41-8833- 85baedf31086}

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser HelperObjects\{A73890FC-177F-4198-AE3D-C64F7D9E69D8}

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{459b 6bf8-5320-4c41-8833-85baedf31086}

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{459b6bf8532-4c41-8833-85baedf31086}

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{459b6bf8-5320-4c41-8833-85baedf31086}

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\{459b6bf8-5320-4c41-8833-85baedf31086}

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce “msca”

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “wsc”

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “msc”

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\msca

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPost “0″

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect “0″

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonBadCertRecving “0″

The trojan uses the browser such as Internet Explorer to connect to the malicious website xxx.macatte.xxxx. (Now a broken link)

Symptoms

Symptoms -

* It displays fake warning messages and “Safety Center Alert ” popups alerts.

* It flashes icons that appear on your system tray.

* Hijacked homepage to unknown webpage that again is a mimic of McAfee site.MaCatte Antivirus 2009 will block currently installed or downloaded anti-virus software. It will hijack your web browser and redirect you to various misleading websites including the rogue program homepage www.macatte.com (now a broken link).

* MaCatte Antivirus will be configured to start automatically when you boot up Windows. Once started, it will scan your computer and then display numerous infections, but will not remove them until you first purchase the program.

 

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

Use current engine and DAT files for detection and removal.Removal requires removing the entry in the SYSTEM.INI file and restart to MS-DOS mode to delete the file manually from the Windows and Windows\System folders.

Variants

Variants -

N/A