FakeAlert-F

Upon exection the FakeAlert-F creates the following registry keys:

• HKEY_CURRENT_USER\Software\AvScan

The following registry values have been added to the system.

• [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures?]
• Data: 01, 00, 00, 00
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride"]
• Data: local
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer"]
• Data: http=127.0.0.1:5555
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes"]
• Data: .exe
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation"]
• Data: 01, 00, 00, 00
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "ymrkrjmo"]
• Data: C:\Documents and Settings\%User%\Local Settings\Application Data\rkfvfv\tpidsftav.exe
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "ymrkrjmo"]
• Data: C:\Documents and Settings\%User%\Local Settings\Application Data\rkfvfv\tpidsftav.exe

The following registry values modified into the system:

• [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures"]
• Old data: yes
• New data: no
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable"]
• Old data: 00, 00, 00, 00
• New data: 01, 00, 00, 00

The following registry keys are deleted in system:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows "AppInit_DLLs"

The following file(s) are dropped/created by the FakeAlert:

• c:\Documents and Settings\%User%\Local Settings\Application Data\rkfvfv\tpidsftav.exe

After running for approximately 2 mins, FakeAlert-F begins to show a taskbar pop-up message as shown below.

After displaying this message, it then loads the main program which begins to scan the users infected machine. The main FakeAlert program is set to ?always on top? which prevents the user from minimising it or removing it completely.

Once the scan has been completed, it displays the following message which warns the user that his/her machine is infected with Malware.

The FakeAlert attempts to trick the user into purchasing the product by changing the meaning of the yes button and the no button as shown in the screen shot below.

The user is prevented from running any executables and the following message is displayed upon attempted execution:

After the FakeAlert has been left running for a period of time, it loads Internet Explorer and opens www.adu[Removed].com and displays a fake warning message in the button right hand side of the screen.

The following domain(s) may be accessed by FakeAlert-F:

• www.Via[Removed].com
• www.Por[Removed].com
• www.Por[Removed].org
• www.adu[Removed].com

These are general defaults for typical path variables. (Although they may differ, these examples are common.)

%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)

%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)

• Gives fake alert as if the system is severely infected.
• Registry modification

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).