Overview
This Binary is Trojan Fake alert. As the name, this Trojan gives fake alerts to the compromised user system. And creates a mirage as if the user system is severely affected which is actually not. Then it will give fake balloon tips when clicked it will ask the compromised user to buy fake antivirus software.
FakeAlert-WinWebSecurity.b will silently install and run a virus scan on the system. It will falsely claim that it found viruses and will require the user to register the product to clean the system.
|
Minimum DAT
5635 (2009-06-03) Updated DAT6010 (2010-06-11) |
Minimum Engine
5.2.00 File LengthN/A |
Description Added
2009-06-03 Description Modified2010-03-09 |
Malware Proliferation
Characteristics
Upon exection the FakeAlert-WinWebSecurity.b creates the following registry keys:
- HKEY_USERS\S-1-5-21-602162358-1897051121-839522115-1003_Classes\.exe
- HKEY_USERS\S-1-5-21-602162358-1897051121-839522115-1003_Classes\secfile
- HKEY_CURRENT_USER\Software\Classes\.exe
- HKEY_CURRENT_USER\Software\Classes\secfile
- HKEY_CLASSES_ROOT\.exe
- HKEY_CLASSES_ROOT\secfile
The following registry values have been added to the system.
- [HKEY_CURRENT_USER\Software\Microsoft\Windows "Identity"]
- Data: 8A, 53, 5C, F6
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile "DisableNotifications"]
- Data: 01, 00, 00, 00
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile "DoNotAllowExceptions"]
- Data: 00, 00, 00, 00
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile "EnableFirewall"]
- Data: 00, 00, 00, 00
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile "DisableNotifications"]
- Data: 01, 00, 00, 00
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile "DoNotAllowExceptions"]
- Data: 00, 00, 00, 00
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile "DisableNotifications"]
- Data: 01, 00, 00, 00
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile "DoNotAllowExceptions"]
- Data: 00, 00, 00, 00
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile "EnableFirewall"]
- Data: 00, 00, 00, 00
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile "DisableNotifications"]
- Data: 01, 00, 00, 00
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile "DoNotAllowExceptions"]
- Data: 00, 00, 00, 00
The following registry values modified into the system:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)"]
- New data: "C:\Documents and Settings\%User%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Intern
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride"]
- New data: 01, 00, 00, 00
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride"]
- New data: 01, 00, 00, 00
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess "Start"]
- New data: 04, 00, 00, 00
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Epoch "Epoch"]
- New data: 2D, 00, 00, 00
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess "Start"]
- New data: 04, 00, 00, 00
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch "Epoch"]
- New data: 2D, 00, 00, 00
The following file(s) are dropped/created by the FakeAlert:
- c:\Documents and Settings\%User%\Local Settings\Application Data\av.exe (Size: 176,128 bytes)
- c:\Documents and Settings\%User%\Local Settings\Application Data\B66D8 (Size: 7,296 bytes)
The FakeAlert loads a Security Center as show below, which informs the user that they do not have a Firewall or Anti-Virus. This is a fake Security Center which attempts to trick the user into purchasing the Fake Scanning software.
Once this Security Center has been loaded, the FakeAlert then begins a fake scan of the users hard disk drive and informs the user that their machine is infected with several malware files.
Once the fake scan is complete the following screen is displayed and falsely informs the user that their machine is infected and attempts to trick them into purchasing the software. The FakeAlert switches the position of the ?NO? button in a attempt to trick the user into clicking on ?YES? to purchase the Fake Alert software.
Once the user closes the Fake Alert, it continually shows a taskbar pop-up message which falsely informs the user that their machine is under attack and needs to be protected.
The following domain(s) may be accessed by the Malware:
- antivirus-[removed].com
- livewindowsant[removed].com
- proantivir[removed].com
- pro-antivir[removed].com
- antivirus[removed].com
- microa-ntvir[removed].com
- antivirus-[removed].com
- windows-[removed].com
- spyware-destroy[removed].com
System changes:
These are general defaults for typical path variables. (Although they may differ, these examples are common.)
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
Symptoms
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants