For Home

Virus Profile: FakeAlert-SecurityTool.ev

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 7/18/2012
Date Added: 7/18/2012
Origin: N/A
Length: Varies
Type: Trojan
Subtype: Win32
DAT Required: 6776
Removal Instructions
   
 
 
   

Description

This is a Trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

Kaspersky - Trojan-FakeAV.Win32.LiveSecurity.k
Avast  - Win32: FakeAlert-CVX [Trj] 
Nod32   - a variant of Win32/Kryptik.AIYL
Microsoft - Rogue: Win32/Winwebsec 

Indication of Infection

Presence of above mentioned files and registry keys

Presence unexpected network connection to the above mentioned IP Address.

 

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.
   

Virus Characteristics

"FakeAlert-SecurityTool.ev” is Detection for this Trojan that claim to scan for malware and display fake warnings of “malicious programs and viruses”. They then insist the user that they need to purchase the software in order to remove these non-existent threats.

"FakeAlert-SecurityTool.ev” is Fake programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software. 

Upon execution, Trojan connects to the following IP Address through the remote port 80.

  • 112.121.[Removed].189
  • 85.114.[Removed].4
  • Bil[Removed]ys.com
  • Deks[Removed]es.com

After execution, it creates the following files in below location:

  • %userprofile%\Desktop\Live Security Platinum.lnk
  • %userprofile%\Start Menu\Programs\Live Security Platinum\Live Security Platinum.lnk
  • %ALLUSERSPROFILE%\Application Data\6F638C2D02DCFD1D226FC6F0E56C3425\6F638C2D02DCFD1D226FC6F0E56C3425.exe
  • %ALLUSERSPROFILE%\Application Data\6F638C2D02DCFD1D226FC6F0E56C3425\6F638C2D02DCFD1D226FC6F0E56C3425.ico
  • %ALLUSERSPROFILE%\Application Data\6F638C2D02DCFD1D226FC6F0E56C3425\6F638C2D02DCFD1D226FC6F0E56C3425

And creates directories in the below location to the system:

  • %ALLUSERSPROFILE%\Application Data\6F638C2D02DCFD1D226FC6F0E56C3425
  • %ALLUSERSPROFILE%\Application Data\6F638C2D02DCFD1D226FC6F0E56C3425
  • %userprofile%\Start Menu\Programs\Live Security Platinum

After execution the Trojan displays the following Fake Alert messages:

  


By clicking the above link (Recommended), it will connect the below online payment gateway

Bil[Removed]ys.com

Upon execution, the Trojan add the following registry keys to the system

HKEY_USER\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_USER\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_USER\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Uninstall\Live Security Platinum
HKEY_USER\S-1-[Varies]\Software\Microsoft\Installer
HKEY_USER\S-1-[Varies]\Software\Microsoft\Installer\Products
HKEY_USER\S-1-[Varies]\Software\Microsoft\Installer\Products\6F638C7502DCFD65226FC738E56C346D

And the following registry values has been added

HKEY_USER\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Runonce\
"6F638C2D02DCFD1D226FC6F0E56C3425" = "%ALLUSERSPROFILE%\Application Data\6F638C2D02DCFD1D226FC6F0E56C3425\6F638C2D02DCFD1D226FC6F0E56C3425.exe"
HKEY_USER\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Uninstall\Live Security Platinum\
"DisplayName" = "Live Security Platinum"
HKEY_USER\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Uninstall\Live Security Platinum\
"ShortcutPath" = ""%ALLUSERSPROFILE%\Application Data\6F638C2D02DCFD1D226FC6F0E56C3425\6F638C2D02DCFD1D226FC6F0E56C3425.exe" -u"
HKEY_USER\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Uninstall\Live Security Platinum\
"UninstallString" = ""%ALLUSERSPROFILE%\Application Data\6F638C2D02DCFD1D226FC6F0E56C3425\6F638C2D02DCFD1D226FC6F0E56C3425.exe" -u"
HKEY_USER\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Uninstall\Live Security Platinum\
"DisplayIcon" = "%ALLUSERSPROFILE%\Application Data\6F638C2D02DCFD1D226FC6F0E56C3425\6F638C2D02DCFD1D226FC6F0E56C3425.ico,0"

   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).