McAfee > Theat Center > Virus Detail Page

Overview

FakeAlert-PJ.gen.c once installed on a system will generate fake messages of infection. It encourages the user to purchase a registered copy of their product in order to clean infections. Unsuspecting users may get enticed by the use of such scare tactics. This rogue AV product will also cause interruptions by preventing legitimate applications to launch. FakeAlert-PJ.gen.c is related to the recent LizaMoon SQL Injection attacks

Characteristics

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)

%AppData% =\Documents and Settings\[User]\Application Data

%ProgramFiles% = \Program Files

FakeAlert-PJ.gen.c  is a fake Antispyware product which upon installation disrupts the normal working of a user system by displaying fake messages of infection and preventing legitimate software and programs from executing

The following files were created on the system:

• %AppData%\Microsoft\[RandomMalwareFile].exe

The following regsitry keys were created:

• HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
• "Shell" = %AppData%\Microsoft\[RandomMalwareFile].exe
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore
• DisableSR = 1
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwserv.exe
• Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastsvc.exe
• Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastui.exe
• Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe
• Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe
• Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe
• Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe
• Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe
• Debugger = svchost.exe

Connections to the following websites was attempted:

• hxxp://softscoreinc.com/soft-usage/[Removed]

FakeAlert-PJ.gen.c is related to the LizaMoon SQL Injection attacks where a large number of websites had been compromised on the internet. Such compromised sites redirected users to domains serving the FakeAV. On successful redirection, the following page is shown which is a fake system scan. After which a executable is downloaded 

After the malware is launched, it displays the following everytime a user attempts to run an executable

Clicking on "Clean computer" yeilds the following which is a fake installation screen.

A user is not permitted to select "No, Reboot Later".

After reboot, the system was observed to have become extremely slow and unresponsive. The fake software claims that this is a result of multiple processes that are utilizing CPU time. Though the pop up says "Microsoft Security Essentials Alert", in no way is this related to Microsoft.

The following splash screen includes multiple reflections from legit Microsoft UIs however is a fake.

If a scan is initiated, it results in fake detections such as the following.

Symptoms

Presence of the mentioned registry keys, files and gui based fake AV product similar to the snapshots shown

Method of Infection

A webiste compromised due to an SQL injection attack may cause redirection to a url that is serving the fakealert.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

Variants

N/A

All Information

Overview -

FakeAlert-PJ.gen.c once installed on a system will generate fake messages of infection. It encourages the user to purchase a registered copy of their product in order to clean infections. Unsuspecting users may get enticed by the use of such scare tactics. This rogue AV product will also cause interruptions by preventing legitimate applications to launch. FakeAlert-PJ.gen.c is related to the recent LizaMoon SQL Injection attacks

Characteristics

Characteristics -

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)

%AppData% =\Documents and Settings\[User]\Application Data

%ProgramFiles% = \Program Files

FakeAlert-PJ.gen.c  is a fake Antispyware product which upon installation disrupts the normal working of a user system by displaying fake messages of infection and preventing legitimate software and programs from executing

The following files were created on the system:

• %AppData%\Microsoft\[RandomMalwareFile].exe

The following regsitry keys were created:

• HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
• "Shell" = %AppData%\Microsoft\[RandomMalwareFile].exe
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore
• DisableSR = 1
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwserv.exe
• Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastsvc.exe
• Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastui.exe
• Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe
• Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe
• Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe
• Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe
• Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe
• Debugger = svchost.exe

Connections to the following websites was attempted:

• hxxp://softscoreinc.com/soft-usage/[Removed]

FakeAlert-PJ.gen.c is related to the LizaMoon SQL Injection attacks where a large number of websites had been compromised on the internet. Such compromised sites redirected users to domains serving the FakeAV. On successful redirection, the following page is shown which is a fake system scan. After which a executable is downloaded 

After the malware is launched, it displays the following everytime a user attempts to run an executable

Clicking on "Clean computer" yeilds the following which is a fake installation screen.

A user is not permitted to select "No, Reboot Later".

After reboot, the system was observed to have become extremely slow and unresponsive. The fake software claims that this is a result of multiple processes that are utilizing CPU time. Though the pop up says "Microsoft Security Essentials Alert", in no way is this related to Microsoft.

The following splash screen includes multiple reflections from legit Microsoft UIs however is a fake.

If a scan is initiated, it results in fake detections such as the following.

Symptoms

Symptoms -

Presence of the mentioned registry keys, files and gui based fake AV product similar to the snapshots shown

Method of Infection

Method of Infection -

A webiste compromised due to an SQL injection attack may cause redirection to a url that is serving the fakealert.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

Variants -

N/A