McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

FakeAlert-FQ

This page shows details and results of our analysis on the malware FakeAlert-FQ

Threat Detail

Malware Type: Trojan

Malware Sub-type: Win32

Discovery Date: 2009-07-17

Next Steps:

Overview

Similar to other malwares of this family, FakeAlert-FQ shows a fake warning message, alarming the user that their machine is infected or at risk. The intention behind all the fake messages is drive users to buy the advertised antispyware product.

File Information

  • MD5 - 02168DD363E40B2283E19207E2CCDFAE
  • SHA - 12dab14d3205c3ebb8c2ac325a1bfad04fe02681
  • File Size - 712704 bytes

Aliases
  • Kaspersky - Trojan.Win32.FraudPack.ajsj
  • Ikarus - Trojan.Win32.FakeAV
  • Comodo - TrojWare.Win32.Trojan.Agent.Gen


Minimum DAT

5679 (2009-07-17)

Updated DAT

6127 (2010-10-05)

 Minimum Engine

5.2.00

File Length

Varies

 Description Added

2009-07-17

Description Modified

2010-01-11

Malware Proliferation

Characteristics

When executed, the Trojan prompts the user to download a Fake Anti Malware

Once the user clicks on download button, the Trojan downloads fake Anti Malware which warns user, that the system is infected and tricks the compromised user to purchase the fake anti-malware online.

Upon execution, the Trojan copies itself into the following location

    • %Temp%\settdebugx.exe

And downloads the following files
    • %Temp%\wscsvc32.exe [ Detected as FakeAlert-FQ]
    • %Temp%\dhdhtrdhdrtr5y
    • %ProgramFiles%\Malware Defense\mdext.dll [ Detected as FakeAlert-FQ]
    • %ProgramFiles%\Malware Defense\uninstall.exe [ Detected as FakeAlert-FQ]
    • %ProgramFiles%\Malware Defense\mdefense.exe [Detected as FakeAlert-FQ]

The following registry keys have been added to the system.
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense]
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Malware Defense]
    • [HKEY_USERS\S-1-5-21-1454471165-926492609-839522115-500\Software\Microsoft\Windows\CurrentVersion\Controls Folder]
    • [HKEY_USERS\S-1-5-21-1454471165-926492609-839522115-500\Software\Microsoft\GDIPlus]

The following registry values have been added.
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\]
      "InprocServer32\:" = "C:\PROGRA~1\MALWAR~1\mdext.dll"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\InprocServer32\]
      "ThreadingModel:" = "Apartment"

The Trojan registers the run entry to execute itself every time when the windows boots.
    • [HKEY_USERS\S-1-5-21-1004336348-1326574676-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run\]
      "settdebugx.exe: " = "C:\DOCUME~1\Naveen\LOCALS~1\Temp\settdebugx.exe"
    • [HKEY_USERS\S-1-5-21-1004336348-1326574676-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run\]
      "Malware Defense:" = "C:\Program Files\Malware Defense\mdefense.exe"

The following registry values have been modified.
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\]
      "Start:" = "0x00000004"
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\]
      "Start:" = "0x00000004"

The above mentioned registry entries confirm that, the Trojan disables Windows Security Center Service, instead a fake Windows Security Center will be displayed which will direct the user to purchase a fake anti-malware product.

When executed, the Trojan connects to the following Sites through a HTTP Port 80.
    • www.edite[removed].cn
    • www.copysc[removed].cn
    • www.summarysc[removed].cn
    • www.onlinesecu[removed].cn

Also, it creates the following Mutex objects
    • 01d459e5-e8c8-4483-acf0-92272daf7309
    • 6da54105-146e-4eea-9b09-b1ca3a54b726

[Where %Temp% is the Temporary Directory - for example C:\Documents and Settings\Administrator\Local Settings\Temp, and %ProgramFiles% is C:\Program Files]

Symptoms

    • Presence of above mentioned files and registry keys
    • Presence of unexpected network connection to the above mentioned Sites.
    • Presence of above mentioned Mutex.

 

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

 

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

United States - English