For Home

Virus Profile: HTML/FakeAV

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 10/7/2008
Date Added: 10/7/2008
Origin: N/A
Length: Varies
Type: Trojan
Subtype: HTML
DAT Required: 5400
Removal Instructions
   
 
 
   

Description

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • AntiVir  - HTML/FakeAlert.AV
  • NOD32  - JS/TrojanDownloader.FraudLoad.NAT
  • Ikarus   - Trojan.Win32.FakeAV
  • Microsoft - Rogue: JS/FakePAV

Indication of Infection

Presence of above mentioned files and registry keys

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.
   

Virus Characteristics

"HTML/FakeAV" is a virus detection that infects other files in order to spread.

Once executed or open the HTML file, it will displays the following fake messages to the end users.

Also it opens the default web browser and displays the following Fake Anti-virus (Windows security warning) scanning Reports.

Upon execution, the following keys has been added to the System

  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012012052320120524

And the following registry values has been added to the System

  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012012052320120524\
    “CachePath” = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012012052320120524\"
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012012052320120524\
    “CachePrefix” = ":2012052320120524:”
  • HKEY_USER\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012012052320120524\
    “CacheLimit” = “0x00002000”
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012012052320120524\
    “CacheOptions” = “0x0000000B”
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012012052320120524\
    “CacheRepair” = “0x00000000”

Also it creates the files in the below location:

  • "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012012052320120524\index.dat
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).