minimal-minimal

FakeAlert-SysDef.b

FakeAlert-SysDef.b

Threat Detail

  • Malware Type: Trojan
  • Malware Sub-type: Win32
  • Protection Added: 2011-06-06

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

 


Minimum Engine

5400.1158

File Length

varies

Description Added

2011-06-06

Description Modified

2011-06-06

Malware Proliferation

fpo-ti-severity-legend logo-new-mcafee

-----------Updated on Feb 29 , 2012--------------------

Aliases

    • Kaspersky - Trojan.Win32.FakeAV.kxge
    • NOD32 - Win32/TrojanDownloader.Prodatect.BK
    • Ikarus - Trojan.Win32.FakeSysdef
    • Microsoft - Trojan: Win32/FakeSysdef

FakeAlert-SysDef.b malware that shows false error messages, misleading spyware scan results,and uses aggressive advertising to persuade the user to purchase it.

518453FEB291

It would then run an exaggerated scan and generate false detection alert messages and warnings. The intention behind all the fake messages is drive users to purchase the advertised product.

518453FEB292

Upon execution the Trojan copies itself to the below mentioned location and connects to the site search[removed].org through a remote port 80.

Also it drops the following files.

    • %Appdata%\9iozaERets4QxW
    • %Appdata%\9iozaERets4QxW.exe
    • %Appdata%\hhBUqpMjwRyef.exe

The following Keys have been added to the system.

    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

The following values have been added to the system.

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\
      LowRiskFileTypess= .zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
      SaveZoneInformation = 0x00000001
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
      NoDesktop = 0x00000001
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
      DisableTaskMgr = 0x00000001
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      hhBUqpMjwRyef.exe = %Appdata%\hhBUqpMjwRyef.exe 

The following value has been modified

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
      "DisableTaskMgr" = 0x00000001

[ Note: %Appdata% - c:\Documents and Settings\[user]\Application Data ]


-------------------------------------------------------------------------------------------------------------------

-----Updated on Oct 27 , 2011-----------

Aliases -

  • NOD32 - a variant of Win32/Kryptik.UIY trojan
  • Ikarus Trojan.Win32.FakeSysdef
  • Quick Heal - Trojan.Fraud.fso
  • Microsoft - Trojan:Win32/FakeSysdef

Upon execution the Trojan connects to the following site [removed]i-722866.com through remote port 80.

The following files have been added to the system.

  • %AppData%\mtxaICndWfJLjLo.exe

The following Keys have been added to the system.

  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System

The following Values have been added to the system.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr = 0x00000001
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    mtxaICndWfJLjLo.exe = "%AppData%\mtxaICndWfJLjLo.exe"

Above mentioned registry ensures that, the Worm registers itself with the compromised system and execute itself upon every boot.

  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypess = ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;"
  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformation = 0x00000001
  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = 0x00000001

Above mentioned registry ensures that, the Trojan disables Task Manager with the compromised system.

Also it connects to the following site to download malicious files.

  • [removed]irange.com
  • [removed]rture.com
  • [removed]footlub.com
  • 89.46.[removed]
  • [removed]x-191994.com
  • [removed]ki-67831.com

[Note : C:\Documents and Settings\[User]\Application Data is %AppData%]

---------------------

--- Updated on 20th, July 2011 ---

Aliases

    • Kaspersky - Trojan.Win32.Jorik.Fraud.aeq
    • Microsoft - Trojan:Win32/FakeSysdef
    • NOD32 - a variant of Win32/Kryptik.QJL
    • Symantec - Trojan.FakeAVs

"FakeAlert-SysDef.b" is a Trojan that shows fake PC performance related issues, false error messages and uses aggressive advertising to persuade the user to purchase it.

Upon execution, the Trojan copies itself into the below mention location.

    • %Temp%\tmpBFAD.tmp

Also it connects to the following sites to download other malicious files.

    • hxxp://click[removed].org
    • hxxp://find[removed].org
    • hxxp://click[removed].org

The following registry keys have been added

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

The following Values have been added to the system.

    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
      "NoChangingWallpaper"= 0x00000001
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
      "NoSetActiveDesktop"= 0x00000001
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
      "DisableTaskMgr"= 0x00000001
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
      "dgMwVfDydK" = %Temp%\tmpBFAD.tmp

The following registry have been modified

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr = 0x00000001
    • HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
      Hidden = 0x00000000
    • HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
      ShowSuperHidden = 0x00000000

Note [%Temp% - C:\Documents and Settings\[UserName]\Local Settings\Temp]

------

--- Updated on 19th, July 2011 ---

Aliases

    • Kaspersky - Trojan.Win32.FakeAV.dpxe
    • Microsoft - Trojan:Win32/FakeSysdef
    • NOD32 - a variant of Win32/Kryptik.PFD
    • Symantec - Trojan.Gen

"FakeAlert-SysDef.b" is a Trojan that shows fake PC performance related issues, false error messages and uses aggressive advertising to persuade the user to purchase it.

Upon execution, the Trojan copies itself into the following locations

    • %AllUsersProfile%\Application Data\lKWDqUysAx.exe
    • %AllUsersProfile%s\Application Data\lKWDqUysAx

And it creates the following shortcut links.

    • %UserProfile%\Desktop\Windows XP Repair.lnk
    • %UserProfile%\Start Menu\Programs\Windows XP Repair\Windows XP Repair.lnk
    • %UserProfile%\Start Menu\Programs\Windows XP Repair\Uninstall Windows XP Repair.lnk

Also the Trojan have communication with the following sites

    • search[removed].org
    • clickwinston-[removed].org
    • searchbe[removed].org
    • search[removed].org
    • click[removed].org

When executed, this malware displays the following fake images.

2011-07-19_043747_A

2011-07-19_043805_B

The following registry values have been added

    • [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
      Use FormSuggest = "Yes"
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
      WarnOnZoneCrossing = 0x00000000
      WarnonBadCertRecving = 0x00000000
      CertificateRevocation = 0x00000000

The following registry value have been modified

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
       1601 =
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
       State =

It creates the following mutex, to ensure that only one instance of Trojan running at a time

    • 625773d0-1eb5-4879-8322-8bdc33d9d4fe

Also the following folder has been added to the system

    • %UserProfile%\Start Menu\Programs\Windows XP Repair

After execution, the Trojan deletes itself from the system

Note [%UserProfile% - C:\Documents and Settings\[UserName],
%AllUsersProfile% - C:\Documents and Settings\All Users]

-------

-------- Updated on 23rd, June 2011 ---

Aliases

    • F-Secure - Gen:Variant.Kazy.26560
    • Kaspersky - Trojan-Downloader.Win32.Dapato.ha
    • NOD32 - a variant of Win32/Kryptik.PAJ
    • Symantec - Trojan.FakeAV!gen60

Upon execution, the Trojan copies itself into the below mentioned location

    • %AllUsersProfile%\Application Data\[Random Name].exe

And it connects to the site "search[removed].org" to download the following malicious file.

    • %AllUsersProfile%\Application Data\18013988.exe [McAfee detected as PWS-Zbot.gen.gi]

The Trojan displays the following fake messages and it has the same behavior of the malware "PWS-Zbot.gen.gi".

image1

image2

The following registry keys have been added

    • HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
    • HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
    • HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
    • HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System

The following registry values have been added

    • HKEY_USERS\S-1-[varies]\Software\75fa38b7-8b94-4995-ad32-52e938867954 = ""
    • HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
      NoDesktop = 0x00000001
    • HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\
      NoChangingWallPaper = 0x00000001
    • HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\
      LowRiskFileTypes = "/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:"
    • HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
      SaveZoneInformation= 0x00000001
    • HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System\
      DisableTaskMgr= 0x00000001
    • HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Run\
      lKMwrmNWsXvp = "%AllUsersProfile%\Application Data\[Random Name].exe"

The above registry entry confirms that, the Trojan executes every time when windows starts

The following registry have been modified

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr = 0x00000001
    • HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
      Hidden = 0x00000000
    • HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
      ShowSuperHidden = 0x00000000

After execution, the source file deletes itself from the systemNote :

[%AllUsersProfile% - C:\Documents and Settings\All Users\Application Data]

-------

File Information -

    • MD5 - EB539D4A841DF0F237B695F2ADE6FE2E
    • SHA - 34DA4E4CE22D7516A661A1EDAAF69E4FFF3A6E9C

Aliases -

    • Kaspersky - Trojan-Downloader.Win32.Dapato.fs
    • Ikarus - Trojan-Downloader.Win32.Dapato
    • Symantec - Trojan.FakeAV
    • Microsoft - Trojan:Win32/FakeSysdef

FakeAlert-SysDef.b malware that shows false error messages, misleading spyware scan results,and uses aggressive advertising to persuade the user to purchase it.

When executed, this malware displays the following image.

665331A

It would then run an exaggerated scan and generate false detection alert messages and warnings. The intention behind all the fake messages is drive users to purchase the advertised product.

665331B

Upon execution the Trojan copies itself to the below mentioned location and connects to the site searc[removed].org through a remote port80.

  •  %UserProfile%\dgMwVfDydK.exe
  • %UserProfile%\Application Data\24370980.exe[Random_name]

Also it drops the following file.

  •  %UserProfile%\Application Data\24370980[Random_name]

 The following Keys have been added to the system.

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

The following Values have been added to the system.

  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
    "NoChangingWallpaper"= 0x00000001
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    "NoSetActiveDesktop"= 0x00000001
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "DisableTaskMgr"= 0x00000001
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "dgMwVfDydK" = %UserProfile%\Application Data\dgMwVfDydK.exe

The Above mentioned registry entry confirms that the trojan executes upon every reboot.

The following Values have been modified to the system.

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
    "DisableTaskMgr"= 0x00000001

Also it connects to the following site to download malicious files.

  • clic[removed].org

[Note : C:\Documents and Settings\All Users is %UserProfile%]

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.
  • This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.