Content

FakeAlert-AVPsec

Type
Trojan
SubType
-
Discovery Date
03/01/2010
Length
Minimum DAT
5903 (02/25/2010)
Updated DAT
5993 (05/25/2010)
Minimum Engine
5.2.00
Description Added
03/01/2010
Description Modified
03/02/2010 3:34 AM (PT)
Risk Assessment
Corporate User
N/A
Home User
N/A

Tab Navigation

Characteristics

When the FakeAlert-AVPsec is executed, it displays the following messages and installs itself:




The following registry key(s) are added:

  • HKEY_CURRENT_USER\Software\3
  • HKEY_CLASSES_ROOT\SAb45b.DocHostUIHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[Several Applications]

The following registry value(s) are added:

  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes [URLs]
  • Data: http://findg[Removed].com/?&uid=7&q={searchTerms}
  • HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes [URL]
  • Data: http://findg[Removed].com/?&uid=7&q={searchTerms}
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer [IIL]
  • Data: 00, 00, 00, 00
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer [ltHI]
  • Data: 00, 00, 00, 00
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer [ltTST]
  • Data: A5, 81, 00, 00
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer [PRS]
  • Data: http://127.0.0.1:27777/?inj=%ORIGINAL%
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download [RunInvalidSignatures]
  • Data: 01, 00, 00, 00
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run [Security Antivirus]
  • Data: "SAb45b.exe" /s /d
  • HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF} [(Default)]
  • Data: Implements DocHostUIHandler
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List [SAb45b.exe]
  • Data: SAb45b.exe:*:Enabled:Security Antivirus
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List [SAb45b.exe]
  • Data: SAb45b.exe:*:Enabled:Security Antivirus

The following registry key(s) are deleted:


  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

The following registry key(s) are modified:


  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download [CheckExeSignatures]
  • data: no
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Epoch [Epoch]
  • data: 2D, 00, 00, 00
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch [Epoch]
  • New data: 2D, 00, 00, 00

The following folder(s) are created:


  • c:\Documents and Settings\All Users\Application Data\b45b499
  • c:\Documents and Settings\All Users\Application Data\SABSNJCUYAV
  • c:\Documents and Settings\%user%\Application Data\Security Antivirus

The following file(s) are dropped/downloaded:


  • c:\Documents and Settings\All Users\Application Data\b45b499\16.mof (Size: 334 bytes)
  • c:\Documents and Settings\All Users\Application Data\b45b499\SAb45b.exe (Size: 2,467,840 bytes)
  • c:\Documents and Settings\All Users\Application Data\b45b499\SAV.ico (Size: 4,286 bytes)
  • c:\Documents and Settings\All Users\Application Data\b45b499\BackUp\Adobe Reader Speed Launch.lnk (Size: 1,757 bytes)
  • c:\Documents and Settings\All Users\Application Data\b45b499\SAVSys\vd952342.bd (Size: 12,733 bytes)
  • c:\Documents and Settings\All Users\Application Data\b45b499\SAVSys\VDAI.ntf (Size: 4,253 bytes)
  • c:\Documents and Settings\All Users\Application Data\SABSNJCUYAV\SALYNUAV.cfg (Size: 21,677 bytes)
  • c:\Documents and Settings\%user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Security Antivirus.lnk (Size: 1,795 bytes)
  • c:\Documents and Settings\%user%\Application Data\Security Antivirus\Instructions.ini (Size: 1,177 bytes)
  • c:\Documents and Settings\%user%\Desktop\Security Antivirus.lnk (Size: 1,777 bytes)
  • c:\Documents and Settings\%user%\Local Settings\Temp\1.exe (Size: 188,928 bytes)
  • c:\Documents and Settings\%user%\Start Menu\Security Antivirus.lnk (Size: 1,777 bytes)
  • c:\Documents and Settings\%user%\Start Menu\Programs\Security Antivirus.lnk (Size: 1,783 bytes)

The FakeAlert then begins a fake scan of the users Hard Disk drive and falsely informs them that their machine is infected with several pieces of malware:





The FakeAlert can be minimised and closed, but it will continue to display system tray pop-up messages like the one shown below:



The hosts file is changed to redirect the user to the following servers 74.125.[removed] 67.215.240.[removed] if they attempt to access the following websites:


  • 4-open-davinci.com
  • securitysoftwarepayments.com
  • privatesecuredpayments.com
  • secure.privatesecuredpayments.com
  • getantivirusplusnow.com
  • secure-plus-payments.com
  • www.getantivirusplusnow.com
  • www.secure-plus-payments.com
  • www.getavplusnow.com
  • safebrowsing-cache.google.com
  • urs.microsoft.com
  • www.securesoftwarebill.com
  • secure.paysecuresystem.com
  • paysoftbillsolution.com
  • protected.maxisoftwaremart.com
  • www.google.com
  • google.com
  • google.com.au
  • www.google.com.au
  • google.be
  • vwww.google.be
  • google.com.br
  • www.google.com.br
  • google.ca
  • www.google.ca
  • google.ch
  • www.google.ch
  • google.de
  • www.google.de
  • google.dk
  • www.google.dk
  • google.fr
  • www.google.fr
  • google.ie
  • www.google.ie
  • google.it
  • www.google.it
  • google.co.jp
  • www.google.co.jp
  • google.nl
  • www.google.nl
  • google.no
  • www.google.no
  • google.co.nz
  • www.google.co.nz
  • google.pl
  • www.google.pl
  • google.se
  • www.google.se
  • google.co.uk
  • www.google.co.uk
  • google.co.za
  • www.google.co.za
  • www.google-analytics.com
  • www.bing.com
  • search.yahoo.com
  • www.search.yahoo.com
  • uk.search.yahoo.com
  • ca.search.yahoo.com
  • de.search.yahoo.com
  • fr.search.yahoo.com
  • au.search.yahoo.com

If the user attempts to access the internet the FakeAlert-AVPSec displays a message which falsely warns the user that they are under attack.



The following domains may be accessed by the FakeAlert:


  • Secure-fi[Removed].in
  • Protecteds[Removed].in
  • Save-se[Removed].com
  • Your-securepa[Removed].com
  • Safeanti[Removed].net

Symptoms

  • Gives fake alert as if the system is severely infected.
  • Registry modification
  • Tricks the user and prompts them to buy the fake antivirus software

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This Binary is Trojan Fake alert. As the name, this Trojan gives fake alerts to the compromised user system. And creates a mirage as if the user system is severely affected which is actually not. Then it will give fake balloon tips when clicked it will ask the compromised user to buy fake antivirus software.

FakeAlert-AVPsec will silently install and run a virus scan on the system. It will falsely claim that it found viruses and will require the user to register the product to clean the system.

Aliases

  • FakeAlert-AVPsec!env

Characteristics

Characteristics -

When the FakeAlert-AVPsec is executed, it displays the following messages and installs itself:




The following registry key(s) are added:

  • HKEY_CURRENT_USER\Software\3
  • HKEY_CLASSES_ROOT\SAb45b.DocHostUIHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[Several Applications]

The following registry value(s) are added:

  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes [URLs]
  • Data: http://findg[Removed].com/?&uid=7&q={searchTerms}
  • HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes [URL]
  • Data: http://findg[Removed].com/?&uid=7&q={searchTerms}
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer [IIL]
  • Data: 00, 00, 00, 00
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer [ltHI]
  • Data: 00, 00, 00, 00
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer [ltTST]
  • Data: A5, 81, 00, 00
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer [PRS]
  • Data: http://127.0.0.1:27777/?inj=%ORIGINAL%
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download [RunInvalidSignatures]
  • Data: 01, 00, 00, 00
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run [Security Antivirus]
  • Data: "SAb45b.exe" /s /d
  • HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF} [(Default)]
  • Data: Implements DocHostUIHandler
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List [SAb45b.exe]
  • Data: SAb45b.exe:*:Enabled:Security Antivirus
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List [SAb45b.exe]
  • Data: SAb45b.exe:*:Enabled:Security Antivirus

The following registry key(s) are deleted:


  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

The following registry key(s) are modified:


  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download [CheckExeSignatures]
  • data: no
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Epoch [Epoch]
  • data: 2D, 00, 00, 00
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch [Epoch]
  • New data: 2D, 00, 00, 00

The following folder(s) are created:


  • c:\Documents and Settings\All Users\Application Data\b45b499
  • c:\Documents and Settings\All Users\Application Data\SABSNJCUYAV
  • c:\Documents and Settings\%user%\Application Data\Security Antivirus

The following file(s) are dropped/downloaded:


  • c:\Documents and Settings\All Users\Application Data\b45b499\16.mof (Size: 334 bytes)
  • c:\Documents and Settings\All Users\Application Data\b45b499\SAb45b.exe (Size: 2,467,840 bytes)
  • c:\Documents and Settings\All Users\Application Data\b45b499\SAV.ico (Size: 4,286 bytes)
  • c:\Documents and Settings\All Users\Application Data\b45b499\BackUp\Adobe Reader Speed Launch.lnk (Size: 1,757 bytes)
  • c:\Documents and Settings\All Users\Application Data\b45b499\SAVSys\vd952342.bd (Size: 12,733 bytes)
  • c:\Documents and Settings\All Users\Application Data\b45b499\SAVSys\VDAI.ntf (Size: 4,253 bytes)
  • c:\Documents and Settings\All Users\Application Data\SABSNJCUYAV\SALYNUAV.cfg (Size: 21,677 bytes)
  • c:\Documents and Settings\%user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Security Antivirus.lnk (Size: 1,795 bytes)
  • c:\Documents and Settings\%user%\Application Data\Security Antivirus\Instructions.ini (Size: 1,177 bytes)
  • c:\Documents and Settings\%user%\Desktop\Security Antivirus.lnk (Size: 1,777 bytes)
  • c:\Documents and Settings\%user%\Local Settings\Temp\1.exe (Size: 188,928 bytes)
  • c:\Documents and Settings\%user%\Start Menu\Security Antivirus.lnk (Size: 1,777 bytes)
  • c:\Documents and Settings\%user%\Start Menu\Programs\Security Antivirus.lnk (Size: 1,783 bytes)

The FakeAlert then begins a fake scan of the users Hard Disk drive and falsely informs them that their machine is infected with several pieces of malware:





The FakeAlert can be minimised and closed, but it will continue to display system tray pop-up messages like the one shown below:



The hosts file is changed to redirect the user to the following servers 74.125.[removed] 67.215.240.[removed] if they attempt to access the following websites:


  • 4-open-davinci.com
  • securitysoftwarepayments.com
  • privatesecuredpayments.com
  • secure.privatesecuredpayments.com
  • getantivirusplusnow.com
  • secure-plus-payments.com
  • www.getantivirusplusnow.com
  • www.secure-plus-payments.com
  • www.getavplusnow.com
  • safebrowsing-cache.google.com
  • urs.microsoft.com
  • www.securesoftwarebill.com
  • secure.paysecuresystem.com
  • paysoftbillsolution.com
  • protected.maxisoftwaremart.com
  • www.google.com
  • google.com
  • google.com.au
  • www.google.com.au
  • google.be
  • vwww.google.be
  • google.com.br
  • www.google.com.br
  • google.ca
  • www.google.ca
  • google.ch
  • www.google.ch
  • google.de
  • www.google.de
  • google.dk
  • www.google.dk
  • google.fr
  • www.google.fr
  • google.ie
  • www.google.ie
  • google.it
  • www.google.it
  • google.co.jp
  • www.google.co.jp
  • google.nl
  • www.google.nl
  • google.no
  • www.google.no
  • google.co.nz
  • www.google.co.nz
  • google.pl
  • www.google.pl
  • google.se
  • www.google.se
  • google.co.uk
  • www.google.co.uk
  • google.co.za
  • www.google.co.za
  • www.google-analytics.com
  • www.bing.com
  • search.yahoo.com
  • www.search.yahoo.com
  • uk.search.yahoo.com
  • ca.search.yahoo.com
  • de.search.yahoo.com
  • fr.search.yahoo.com
  • au.search.yahoo.com

If the user attempts to access the internet the FakeAlert-AVPSec displays a message which falsely warns the user that they are under attack.



The following domains may be accessed by the FakeAlert:


  • Secure-fi[Removed].in
  • Protecteds[Removed].in
  • Save-se[Removed].com
  • Your-securepa[Removed].com
  • Safeanti[Removed].net

Symptoms

Symptoms -

  • Gives fake alert as if the system is severely infected.
  • Registry modification
  • Tricks the user and prompts them to buy the fake antivirus software

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A