Virus Characteristics
-- Update October 21, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=220700200
--
This detection is for a FakeAlert trojan, that was spammed as a free tool to scan for the "Conficker.B" worm.
Upon execution, this malware copies itself to the following locations and launches them.
- %userprofile%\Application Data\seres.exe
- %userprofile%\Application Data\svcst.exe
It then downloads a malicious file to the following location
- %userprofile%\Application Data\lizkavd.exe (detected as FakeAlert-XPSecCenter)
it then pops up a fake message, stating the the system is infected (as shown below)
Upon clicking the message baloon, the "lizkavd.exe" is run, which downloads and installs a fake antivirus program.
The following registry entries are created/modified
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures"
Data: 01, 00, 00, 00
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes"
Data: zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mov;.mp3;.wav
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "mserv"
Data: %userprofile%\Application Data\seres.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "svchost"
Data: %userprofile%\Application Data\svcst.exe