Virus Profile: FakeAlert-MaCatte

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 11/4/2009
Date Added: 11/4/2009
Origin: N/A
Length: Varies
Type: Trojan
Subtype: Win32
DAT Required: 5793
Removal Instructions
   
 
 
   

Description

FakeAlert-MaCatte is a detection for a trojan that mimics the oringinal McAfee Security Centre product. It displays fake alerts to trick the user into buying the rogue AV product for non-existant malware infections on the compromised system. This rogue security product pops up messages of arbitary files being infected and prompts the victim to remove all the malicious files (actually clean files).

Indication of Infection

* It displays fake warning messages and “Safety Center Alert ” popups alerts.

* It flashes icons that appear on your system tray.

* Hijacked homepage to unknown webpage that again is a mimic of McAfee site.MaCatte Antivirus 2009 will block currently installed or downloaded anti-virus software. It will hijack your web browser and redirect you to various misleading websites including the rogue program homepage www.macatte.com (now a broken link).

* MaCatte Antivirus will be configured to start automatically when you boot up Windows. Once started, it will scan your computer and then display numerous infections, but will not remove them until you first purchase the program.

 

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Aliases

AntiVirus2009 [Symantec], RogueAntiSpyware.AntiVirus2009 [PC Tools], Trojan.Crypt [Ikarus], Trojan:Win32/FakeXPA [Microsoft]
   

Virus Characteristics

The trojan creates following folders & files

C:\Program Files\msca\
C:\Program Files\msca\msc.exe
C:\Program Files\msca\msca.ico
C:\Program Files\msca\mstdl.exe
C:\Program Files\msca\Viruses.dat

C:\Documents and Settings\All Users\Application Data\msca
C:\Documents and Settings\All Users\Application Data\msca\msca.ico
C:\Documents and Settings\All Users\Application Data\msca\mcull.exe
C:\Documents and Settings\All Users\Application Data\msca\msc.exe
C:\Documents and Settings\All Users\Application Data\msca\Viruses.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Media\WPtect.dll
C:\Documents and Settings\All Users\Desktop\msca.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\msca
C:\Documents and Settings\All Users\Start Menu\Programs\msca\msca.lnk
C:\Documents and Settings\All Users\Desktop\Macatt Sec1.jpg
C:\Documents and Settings\All Users\Desktop\Macatt Sec2.jpg
C:\Documents and Settings\All Users\Desktop\Macatt Sec3.jpg
C:\Documents and Settings%UserProfile%Local Settings\Temp\~DFA3DA.tmp\mac.exe

Note:
%UserProfile% is a variable location and refers to the user's profile folder.

It modifies the following registry keys :

• HKEY_CURRENT_USER\Software\msca

• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{459b6bf8-5320-4c41-8833- 85baedf31086}

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser HelperObjects\{A73890FC-177F-4198-AE3D-C64F7D9E69D8}

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{459b 6bf8-5320-4c41-8833-85baedf31086}

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{459b6bf8532-4c41-8833-85baedf31086}

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{459b6bf8-5320-4c41-8833-85baedf31086}

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\{459b6bf8-5320-4c41-8833-85baedf31086}

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce “msca”

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “wsc”

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “msc”

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\msca

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPost “0″

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect “0″

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonBadCertRecving “0″


The trojan uses the browser such as Internet Explorer to connect to the malicious website xxx.macatte.xxxx. (Now a broken link)

   
Use current engine and DAT files for detection and removal.Removal requires removing the entry in the SYSTEM.INI file and restart to MS-DOS mode to delete the file manually from the Windows and Windows\System folders.