FakeAlert-AG

This page shows details and results of our analysis on the malware FakeAlert-AG

Overview

This is a detection for a trojan that displays misleading fake alerts to entice the user into buying a product to "repair" malware problems. This trojan may masquerade its malicious behavior, and victims are likely to have installed it thinking it is an innocent screensaver program.


Minimum DAT

5239 (2008-02-27)

Updated DAT

6749 (2012-06-21)

Minimum Engine

5400.1158

File Length

Varies

Description Added

2008-02-27

Description Modified

2008-08-25

Malware Proliferation

Characteristics

-- Update August 25th, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.itnews.com.au/News/83126,spammers-celebrate-madonnas-50th-bday-with-special-message.aspx

-- Update August 25th, 2008 --

A new variant of the FakeAlert-AG Trojan has been observed in the wild which arrives as an email link to view a XXX video of Madonna. The spammed email appears as if to originate from Microsoft MSN Feature Offers. Users who click the link the email will not see a Madonna video and instead download a variant of the FakeAlert-AG Trojan.

A copy of the spammed email is shown below:

-- Update July 07th, 2008 --

Recent variants of this trojan drop Joke-Bluescreen.c.

It accesses the following site to download the "product" installer:

  • antivirusxp2008.com

This is a detection for a trojan that displays misleading fake alerts to entice the user into buying a product to "repair spyware or malware problems". This trojan may masquerade its malicious behavior, and victims are likely to have installed it thinking it is an innocent screensaver program.

When run, it creates the following registry key(s) to hook system startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run\ctfmona: "%Windir%\system32\ctfmona.exe"  (FakeAlert-AG)
  • HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE: "%Windir%\system32\blackster.scr" (Bugs! Screen Saver - a clean shareware file)

It follows that it will modify the background to display a fake alert:

  • HKEY_CURRENT_USER\Control Panel\Desktop\OriginalWallpaper: "%Windir%\system32\ctfmonb.bmp"
  • HKEY_CURRENT_USER\Control Panel\Desktop\Wallpaper: "%Windir%\system32\ctfmonb.bmp"

The background bitmap resembles the following:

It may also display the following fake alert messages:

Adware.WIN32.MalwareAlarm attack! Adware.WIN32.MalwareAlarm gathers your private data, such as BANKING INFORMATION, passwords and send it to attackers. Also this fraudware can upload malicious software to your PC without your notice and make a SPAM. Very high secrity risk! This process should be removed from your system immediately!

Type: Trojan Horse
System Affected: Windows 98, 2000, NT4, ME, XP, Vista
Security Risk (0-5):
Recommendations: Click 'Yes' to get all available antispyware software.

Attention! Adware.W32.SpyShredder spyware detected. Adware.W32.SpyShredder provides REMOTE ACCESS to your PC and can STEAL your CREDIT CARD, passwords and other private data. Also it prompts fraud advertising popup windows. This process is a security HIGH-risk and recommended to be killed

Type: Trojan Horse
System Affected: Windows 98, 2000, NT4, ME, XP, Vista
Security Risk (0-5):
Recommendations: Click 'Yes' to get all available antispyware software.

It may also use the victim machine to click on advertising and pornography website(s), likely for a "pay-per-click" scheme:

  • tibsystems.com
  • statsbank.com
  • boards.cexx.org
  • adultwebmasterinfo.com
  • dialerschutz.de
  • webmasterworld.com
  • gofuckyourself.com

It may contact the following site(s) to download update(s) or to entice the victim to buy its "anti-spyware products":

  • www.w{blocked}fixer.com
  • advanc{blocked}defender.com

Both websites are selling an identical "product" that claims to be "anti-spyware" or "anti-virus":

 

Symptoms

Presence of the following file(s):

  • %Windir%\system32\blackster.scr (Bugs! Shareware Screensaver - clean file)
  • %Windir%\system32\ctfmona.exe (FakeAlert-AG)
  • %Windir%\system32\ctfmonb.bmp (Bitmap image, please delete this file)

Presence of the mentioned registry key(s).

Unexpected network connections made to the mentioned website(s).

 

 


 

Method of Infection

This trojan may masquerade its malicious behavior, and victims are likely to have installed it thinking it is an innocent screensaver program.

 

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants