FakeAlert-WinWebSec!e​nv.h

This page shows details and results of our analysis on the malware FakeAlert-WinWebSec!env.h

Overview

This is a Trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases   

  • ESET-NOD32        -   Win32/Adware.SystemSecurity.AL
  • Microsoft- Rogue  -   Win32/Winwebsec
  • Kaspersky              -    Trojan.Win32.FakeAV.qvde
  • Avast                       -    Win32:FakeAV-EMU [Trj]


Minimum Engine

5600.1067

File Length

Varies

Description Added

2012-07-03

Description Modified

2013-07-23

Malware Proliferation

Characteristics

-------------------------------Updated on 23 July 2013----------------------------
FakeAlert-WinWebSec!env.h “ is a malicious Trojan that may represent security risk for the compromised system and/or its network environment. The Trojan displays fake alert messages. And the Trojan informs the user that they need to pay money to register the software in order to remove threats.

Upon execution, Trojan connects to the following URL’s
  • http://123.108.[Removed].42/api/urls/?ts=62f060bdeb24ad011c3c59611c4e49d77ce8d721&affid=51800
  • http://123.108.[Removed].42/api/dom/no_respond/?ts=62f060bdeb24ad011c3c59611c4e49d77ce8d721&token=fya14oiYU&affid=51800&ver=3070033&group=sca 
After execution, it creates the following files in below location:
  • %Allusersprofile%\Application Data\004714CB2950924600000047148896C8\004714CB2950924600000047148896C8
  • %Allusersprofile%\Application Data\004714CB2950924600000047148896C8\004714CB2950924600000047148896C8.exe
  • %Allusersprofile%\Application Data\004714CB2950924600000047148896C8\004714CB2950924600000047148896C8.ico
  • %Userprofile%\Desktop\System Care Antivirus.lnk
  • %Userprofile%\Start Menu\Programs\System Care Antivirus\System Care Antivirus.lnk
And creates directories in the below location to the system:
  • %allusersprofile%\Application Data\004714CB2950924600000047148896C8
  • %userprofile%\Start Menu\Programs\System Care Antivirus
After execution the Trojan displays the following Fake Alert messages:
 












Upon execution, the Trojan adds the following registry keys to the system:
  • HKEY_USER\S-1-5-21-436374069-1757981266-839522115-1003\Software\Microsoft\Installer
  • HKEY_USER\S-1-5-21-436374069-1757981266-839522115-1003\Software\Microsoft\Installer\Products
  • HKEY_USER\S-1-5-21-436374069-1757981266-839522115-1003\Software\Microsoft\Installer\Products\004714CB2B50944600000047148898C8
Upon execution, the Trojan adds the following registry values to the system:
  • HKEY_USER\S-1-5-[VARIES]\Software\Microsoft\Windows\CurrentVersion\RunOnce\004714CB2950924600000047148896C8 = "%allusersprofile%\Application Data\004714CB2950924600000047148896C8\004714CB2950924600000047148896C8.exe"
The above mentioned registry ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.

---------------------------------------------------------------------------------------------

-------------------------------Updated on 21 May 2013----------------------------

FakeAlert-WinWebSec!env.h “is a malicious Trojan that may represent security risk for the compromised system and/or its network environment. The Trojan displays fake alert messages. And the Trojan informs the user that they need to pay money to register the software in order to remove threats.

Upon execution, Trojan connects to the following URL’s

  • hxxp://175.41.[Removed].181/api/urls/?ts=90ecc8e03db3c9e2a41d619c88ad9b95fd097b8a&affid=78901
  • hxxp://175.41.[Removed].181//api/stats/install/?ts=90ecc8e03db3c9e2a41d619c88ad9b95fd097b8a&token=fya14oiYU&affid=78901&ver=3070033&group=sca

After execution, it creates the following files in below location:

  • %AllUsersProfile%\Application Data\004714CB2950924600000047148896C8\004714CB2950924600000047148896C8.exe
  • %AllUsersProfile%\Application Data\004714CB2950924600000047148896C8\004714CB2950924600000047148896C8.ico
  • %Userprofile%\Desktop\System Care Antivirus.lnk
  • %Userprofile%\Start Menu\Programs\System Care Antivirus\System Care Antivirus.lnk

And creates directories in the below location to the system:

%AllUsersProfile%\Application Data\004714CB2950924600000047148896C8

After execution the Trojan displays the following Fake Alert messages:

Upon execution, the Trojan adds the following registry keys to the system:

  • HKEY_USER\S-1-5-[VARIES]\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_USER\S-1-5-[VARIES]\Software\Microsoft\Installer
  • HKEY_USER\S-1-5-[VARIES]\Software\Microsoft\Installer\Products
  • HKEY_USER\S-1-5-[VARIES]\Software\Microsoft\Installer\Products\004714CB2B50944600000047148898C8

The following are the registry key values have been added to the system:

  • HKEY_USER\S-1-5-[VARIES]\Software\Microsoft\Windows\CurrentVersion\RunOnce\004714CB2950924600000047148896C8: "004714CB2950924600000047148896C8\004714CB2950924600000047148896C8.exe”

The above mentioned registry ensures that, the Trojan executes itself upon system boot.


----------------------------------------------------------------------------------------------
FakeAlert-WinWebSec!env.h “ is a malicious Trojan that may represent security risk for the compromised system and/or its network environment. The Trojan displays fake alert messages. And the Trojan informs the user that they need to pay money to register the software in order to remove threats.

Upon execution, Trojan connects to the following IP Address
  • 193.[Removed].241
  • 175.[Removed].181
After execution, it creates the following files in below location:
  • %allusersprofile%\Application Data\004714CB2950924600000047148896C8\004714CB2950924600000047148896C8
  • %allusersprofile%\Application Data\004714CB2950924600000047148896C8\004714CB2950924600000047148896C8.exe
  • %allusersprofile%\Application Data\004714CB2950924600000047148896C8\004714CB2950924600000047148896C8.ico
  • %userprofile%\Desktop\System Care Antivirus.lnk
  • %userprofile%\Start Menu\Programs\System Care Antivirus\System Care Antivirus.lnk

And creates directories in the below location to the system:
  • %allusersprofile%\Application Data\004714CB2950924600000047148896C8
  • %userprofile%\Start Menu\Programs\System Care Antivirus
After execution the Trojan displays the following Fake Alert messages:















Upon execution, the Trojan adds the following registry keys to the system:
  • HKEY_USER\S-1-5-[VARIES]\Software\Microsoft\Windows\CurrentVersion\RunOnce
Upon execution, the Trojan adds the following registry values to the system:
  • HKEY_USER\S-1-5-[VARIES]\Software\Microsoft\Windows\CurrentVersion\RunOnce\004714CB2950924600000047148896C8 = "%allusersprofile%\Application Data\004714CB2950924600000047148896C8\004714CB2950924600000047148896C8.exe"

Symptoms

  • Presence of above mentioned files and registry keys
  • Presence unexpected network connection to the above mentioned IP Address.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants