Content
FakeAlert-SpyPro
- Type
- Trojan
- SubType
- Win32
- Discovery Date
- 11/29/2009
- Length
- Minimum DAT
- 5817 (11/29/2009)
- Updated DAT
- 5908 (03/02/2010)
- Minimum Engine
- 5.2.00
- Description Added
- 11/29/2009
- Description Modified
- 02/17/2010 7:13 AM (PT)
Tab Navigation
Characteristics
When executed the malware binary displays a fake balloon tip on the compromised user system. The balloon tip will inform the compromised user that the system is severely infected which is not.
It creates a copy of itself in:C:\Documents and Settings\%user\Local Settings\Application Data\jlpbbn\wisgsysguard.exe
Also it displays a fake alert message on the system tray, balloon tip appears which will indicate about the presence of spyware programs present on the system and prompts the user to buy Antivirus System Pro.
The following registry keys have been added to the system.
- HKEY_USERS\S-1-5-21-1454471165-926492609-839522115-500\Software\AvScan
- HKEY_USERS\S-1-5-21-1454471165-926492609-839522115-500\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
- HKEY_USERS\S-1-5-21-1454471165-926492609-839522115-500\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
- HKEY_USERS\S-1-5-21-1454471165-926492609-839522115-500\Software\Microsoft\Windows Script
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures”
The following registry values have been added to the system.
- [HKEY_USERS\S-1-5-21-1454471165-926492609-839522115-500\Software\AvScan]
- "aazalirt" = "0x00000001"
- [HKEY_USERS\S-1-5-21-1454471165-926492609-839522115-500\Software\AvScan]
- "skaaanret" = " 0x00000001"
- [HKEY_USERS\S-1-5-21-1454471165-926492609-839522115-500\Software\AvScan]
- "jungertab" = " 0x00000001"
- [HKEY_USERS\S-1-5-21-1454471165-926492609-839522115-500\Software\AvScan]
- "zibaglertz" = " 0x00000001"
The following registry values modified into the system:
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\]
- ProxyEnable:="0x00000001"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\]
- ProxyEnable:="0x00000001"
- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download]
- CheckExeSignatures = no
The following registry values were deleted on the system:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows "AppInit_DLLs"
When executed the malware binary tries to connect to the following sites:
After displaying the initial fake balloon tip message, it then loads the main program which begins a fake scan of the users infected machine. The main FakeAlert program is set to ‘always on top’ which prevents the user from minimising it or removing it completely.
Once the scan has been completed, it displays the following message which warns the user that his/her machine is infected with Malware.
The FakeAlert attempts to trick the user into purchasing the product by changing the meaning of the yes button and the no button as shown in the screen shot below.
When the compromised user tries to open any application(s) it shows a warning message/balloon tip that the file is infected and cannot be executed and fakes the user to buy Antivirus System Pro as shown bellow:
After the FakeAlert has been left running for a period of time, it loads Internet Explorer and opens www.adu[Removed].com and displays a fake warning message in the button right hand side of the screen.
It may also load Internet Explorer with the following websites:
- www.Viag[Removed].com
- www.Por[Removed].com
- www.Por[Removed].org
System changes:
These are general defaults for typical path variables. (Although they may differ, these examples are common.)
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
Symptoms
- Gives fake alert as if the system is severely infected.
- Registry modification
- Tricks the user and prompts them to buy the fake antivirus software.
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This Binary is Trojan Fake alert. As the name, this Trojan gives fake alerts to the compromised user system. And creates a mirage as if the user system is severely affected which is actually not. Then it will give fake balloon tips when clicked it will ask the compromised user to buy fake antivirus software.
FakeAlert-SpyPro will silently install Antivirus System Pro and run a virus scan on the system. It will falsely claim that it found viruses and will require the user to register the product to clean the system.
File Information :
- MD5 - C3432C84385EDCD48C3007F8E8D7A1C4
- SHA - EA82BE5282C47EF82B4B90F3F62DB2E0C031848A
- File Size - 424,192 bytes
Aliases :
- Microsoft - Trojan:Win32/FakeSpypro
- NOD32 - a variant of Win32/Kryptik.AVN
- Ikarus - Trojan.Win32.FakeSpypro
- Kaspersky - Trojan.Win32.FraudPack.abrl
Characteristics
Characteristics -
When executed the malware binary displays a fake balloon tip on the compromised user system. The balloon tip will inform the compromised user that the system is severely infected which is not.
It creates a copy of itself in:C:\Documents and Settings\%user\Local Settings\Application Data\jlpbbn\wisgsysguard.exe
Also it displays a fake alert message on the system tray, balloon tip appears which will indicate about the presence of spyware programs present on the system and prompts the user to buy Antivirus System Pro.
The following registry keys have been added to the system.
- HKEY_USERS\S-1-5-21-1454471165-926492609-839522115-500\Software\AvScan
- HKEY_USERS\S-1-5-21-1454471165-926492609-839522115-500\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
- HKEY_USERS\S-1-5-21-1454471165-926492609-839522115-500\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
- HKEY_USERS\S-1-5-21-1454471165-926492609-839522115-500\Software\Microsoft\Windows Script
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures”
The following registry values have been added to the system.
- [HKEY_USERS\S-1-5-21-1454471165-926492609-839522115-500\Software\AvScan]
- "aazalirt" = "0x00000001"
- [HKEY_USERS\S-1-5-21-1454471165-926492609-839522115-500\Software\AvScan]
- "skaaanret" = " 0x00000001"
- [HKEY_USERS\S-1-5-21-1454471165-926492609-839522115-500\Software\AvScan]
- "jungertab" = " 0x00000001"
- [HKEY_USERS\S-1-5-21-1454471165-926492609-839522115-500\Software\AvScan]
- "zibaglertz" = " 0x00000001"
The following registry values modified into the system:
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\]
- ProxyEnable:="0x00000001"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\]
- ProxyEnable:="0x00000001"
- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download]
- CheckExeSignatures = no
The following registry values were deleted on the system:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows "AppInit_DLLs"
When executed the malware binary tries to connect to the following sites:
After displaying the initial fake balloon tip message, it then loads the main program which begins a fake scan of the users infected machine. The main FakeAlert program is set to ‘always on top’ which prevents the user from minimising it or removing it completely.
Once the scan has been completed, it displays the following message which warns the user that his/her machine is infected with Malware.
The FakeAlert attempts to trick the user into purchasing the product by changing the meaning of the yes button and the no button as shown in the screen shot below.
When the compromised user tries to open any application(s) it shows a warning message/balloon tip that the file is infected and cannot be executed and fakes the user to buy Antivirus System Pro as shown bellow:
After the FakeAlert has been left running for a period of time, it loads Internet Explorer and opens www.adu[Removed].com and displays a fake warning message in the button right hand side of the screen.
It may also load Internet Explorer with the following websites:
- www.Viag[Removed].com
- www.Por[Removed].com
- www.Por[Removed].org
System changes:
These are general defaults for typical path variables. (Although they may differ, these examples are common.)
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
Symptoms
Symptoms -
- Gives fake alert as if the system is severely infected.
- Registry modification
- Tricks the user and prompts them to buy the fake antivirus software.
Method of Infection
Method of Infection -
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A