FakeAlert-DA

Overview -
-- Update July 23, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/07/21/andrews_video_malware_ruse/

--

This Trojan is being served by the following URL:

• hxxp://video.report-{blocked}/Erin_Andrews_Peephole_Video

Once user connects to the above site, it will ask the user to download video player to properly play the video and then connects to hxxp://newfileexe.com/streamvie{blocked}.exe to download this Trojan.

Once executed, it connects to the following sites to download files:

• hxxp://isyouimageshere.com/item/2b647e4{blocked}/titem.gif
• hxxp://imgesinstudioonline.com/perce/2b140e{blocked}/qwerce.gif
• hxxp://yourimagesstudio.com/werber/{blocked}/217.gif

The downloaded files are actually images files. However embedded on these GIF files are encrypted malware executables detected as FakeAlert-EL.

Once this Trojan downloads these images, it extracts the malicious files into Temp folder and executes it.

It saves the extracted files as:

• %Temp%\a.exe
• %Temp%\b.exe
• %Temp%\c.exe

Note: %temp% is Windows Temp folder

Presence of the mentioned files

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).