Virus Characteristics
Upon execution FakeAlert-IE creates a file vqsosysguard.exe under ubkecs folder in Program files.The file name may vary on every execution but ends with xxxxsysguard.exe(As wcalsysguard.exe etc).
The following files were added by FakeAlert-IE:
C:\Program Files\ubkecs\vqsosysguard.exe
%System%\iehelper.dll
Where %System% = c:\WINDOWS\system32
The following registry entries were made by FakeAlert-IE:
HKEY_CURRENT_USER\Software\AvScan "aazalirt" = "1"
HKEY_CURRENT_USER\Software\AvScan "dkekkrkska" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "system tool"
C:\Program Files\ubkecs\vqsosysguard.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "system tool"
C:\Program Files\ubkecs\vqsosysguard.exe
The Trojan also modifies the hosts file at %System%\ drivers\etc\hosts .Often this is used to redirect the victims browsing to a specific malicious website and prevent users from downloading updates.The modified hosts file will contain a list of URLs redirected to IP 91.2x2.1xx.2x1
The modified host file will be as below:
91.2x2.1xx.2x1 axxrerxmovxr.mixrosxft.com
91.2x2.1xx.2x1 axxrerexover.com
91.2x2.1xx.2x1 www.axxreremxxer.com
Trojan then installs Fake Antivirus and performs system scan showing presence of malwares in the system as shown below:
Then gives a popup asking for removal of threats on purchase of the product as below:
Also popups alert messages as shown below alerting the user to prevent attacks from the malwares and provides description on the attack.
On opening the browser after the installation of FakeAlert-IE it redirects the browser to pornography websites such as
http://www.pxxno.org
http://www.adxlx.com
http://www.vixgrx.com