McAfee > Theat Center > Virus Detail Page

Overview

---------------Update August 18, 2011-----------------

Aliases

• Microsoft           -     Rogue:Win32/FakeRean
• Kaspersky         -     Trojan.Win32.FakeAV.bahg
• NOD32             -     a variant of Win32/Kryptik.LJH
• Symantec           -     Trojan.Gen
  

Characteristics –

Upon execution the Trojan tries to connect to the following site using remote port 80:
       prot[removed]11.com

The following registry key has been added to the system.

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

            “Spyware Protection” = “%appdata%\defender.exe”

The above registry entry makes the malware to get launched automatically on every reboot.

Where  %appdata% is the application data folder e.g “C:\Documents and Settings\Administrator\Application Data”

It opens the below Fake AV program window which falsely indicates that the system is infected and at risk.

To disinfect the system, it demands the user to purchase the program.

Further it closes all other user opened programs as well as prohibits opening any new program by which user was forced to stop working in the infected computer.

It is dormant in VM enviroment(exhibits anti-VM behaviour) by which it makes analysing of it difficult task.

                                --------------------------------

This Binary is Trojan Fake alert. As the name, this Trojan gives fake alerts to the compromised user system. And creates a mirage as if the user system is severely affected which is actually not. Then it will give fake balloon tips when clicked it will ask the compromised user to buy fake antivirus software.

FakeAlert-SpyPro will silently install Antivirus System Pro and run a virus scan on the system. It will falsely claim that it found viruses and will require the user to register the product to clean the system.

Aliases :

• Microsoft        -            Trojan:Win32/FakeSpypro
• NOD32          -            a variant of Win32/Kryptik.AVN
• Ikarus             -            Trojan.Win32.FakeSpypro
• Kaspersky      -            Trojan.Win32.FraudPack.abrl

Characteristics

Symptoms

Method of Infection

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

Variants

N/A

All Information

Overview -

---------------Update August 18, 2011-----------------

Aliases

• Microsoft           -     Rogue:Win32/FakeRean
• Kaspersky         -     Trojan.Win32.FakeAV.bahg
• NOD32             -     a variant of Win32/Kryptik.LJH
• Symantec           -     Trojan.Gen
  

Characteristics –

Upon execution the Trojan tries to connect to the following site using remote port 80:
       prot[removed]11.com

The following registry key has been added to the system.

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

            “Spyware Protection” = “%appdata%\defender.exe”

The above registry entry makes the malware to get launched automatically on every reboot.

Where  %appdata% is the application data folder e.g “C:\Documents and Settings\Administrator\Application Data”

It opens the below Fake AV program window which falsely indicates that the system is infected and at risk.

To disinfect the system, it demands the user to purchase the program.

Further it closes all other user opened programs as well as prohibits opening any new program by which user was forced to stop working in the infected computer.

It is dormant in VM enviroment(exhibits anti-VM behaviour) by which it makes analysing of it difficult task.

                                --------------------------------

This Binary is Trojan Fake alert. As the name, this Trojan gives fake alerts to the compromised user system. And creates a mirage as if the user system is severely affected which is actually not. Then it will give fake balloon tips when clicked it will ask the compromised user to buy fake antivirus software.

FakeAlert-SpyPro will silently install Antivirus System Pro and run a virus scan on the system. It will falsely claim that it found viruses and will require the user to register the product to clean the system.

Aliases :

• Microsoft        -            Trojan:Win32/FakeSpypro
• NOD32          -            a variant of Win32/Kryptik.AVN
• Ikarus             -            Trojan.Win32.FakeSpypro
• Kaspersky      -            Trojan.Win32.FraudPack.abrl

Characteristics

Characteristics -

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

Variants -

N/A