FakeAlert-PC-Care

-- Update January 15, 2010 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:  http://isc.sans.org/diary.html?storyid=7987

--

When executed, this malware displays the following image:

The malware would then run an exaggerated scan and generate false detection alert messages and warnings. The intention behind all the fake messages is drive users to purchase the advertised product.

The malware creates the following folders & files:

• %CommonAppData%\e4a12b7
• %CommonAppData%\LPTSACG
• %AppData%\Live PC Care
• %CommonAppData%\e4a12b7\LivePCGuard.exe
• %CommonAppData%\LPTSACG\LPRXVODSCG.cfg

Apart from this, the malware modifies the Windows host file located in C:\Windows\System32\drivers\etc folder. The modified host file was updated with the following URL to IP mappings:

• 74.125.45.100 4-open-davinci.com
• 74.125.45.100 securitysoftwarepayments.com
• 74.125.45.100 privatesecuredpayments.com
• 74.125.45.100 secure.privatesecuredpayments.com
• 74.125.45.100 getantivirusplusnow.com
• 74.125.45.100 secure-plus-payments.com
• 74.125.45.100 www.getantivirusplusnow.com
• 74.125.45.100 www.secure-plus-payments.com
• 74.125.45.100 www.getavplusnow.com
• 74.125.45.100 safebrowsing-cache.google.com
• 74.125.45.100 urs.microsoft.com
• 74.125.45.100 www.securesoftwarebill.com
• 74.125.45.100 secure.paysecuresystem.com
• 74.125.45.100 paysoftbillsolution.com
• 74.125.45.100 protected.maxisoftwaremart.com

Note:

• %CommonAppData% is a variable that refers to the file system directory containing application data for all users. A typical path is C:\Documents and Settings\All Users\Application Data.

The malware modifies the following registry entries to disable access to commonly used security and system tools:

• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Anti-Virus Professional.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntispywarXP2009.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPro_2010.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxppro2009.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiVirus_Pro.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\av360.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brastk.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cl.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csc.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dop.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\frmwrk32.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gav.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbn976rl.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\homeav2010.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\init32.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MalwareRemoval.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ozn695m5.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pav.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pc.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsAuxs.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsGui.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsSvc.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsTray.exe
• Hkey_key_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PC_Antispyware2010.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pdfndr.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PerAvir.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qh.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Quick Heal.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QuickHealCleaner.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SafetyKeeper.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Save.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveArmor.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveDefense.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveKeep.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secure Veteran.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secureveteran.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Security Center.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SecurityFighter.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\securitysoldier.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smart.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartprotector.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smrtdefp.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SoftSafeness.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spywarexpguard.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tapinstall.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustWarrior.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tsc.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\W3asbas.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winav.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windll32.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windows Police Pro.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpdeluxe.exe
• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xp_antispyware.exe

The data for the above registry entries is changed to:

• Debugger = "svchost.exe"

This ensures that every time the above known security application are invoked, svchost.exe is run instead.

The malware also creates the following registry entry to ensure its execution every time Windows restarts:   

• Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\RunOnce
  LPCG = "%Temp%\[filename of the sample #1 /cs:1 "

The malware then attempts to connect to the following sites, possibly to GET or POST more information from the malicious server:

• http://newsystem-guard.in/[Removed]
• http://securityearth.cn/[Removed]
• http://pay1.livepcguard.com/[Removed]
• http://pay2.livepcguard.com/[Removed]
  

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial.

Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.