Products
- Cross Device
- PC & Mac
- Mobile/Tablet
- Other Services
  - McAfee Virus Removal Service
  - View All
- Free Tools
Virus Information
Security Advice
Support
Free Trials

Virus Profile: FakeAlertAVSoft

Threat Search

Virus Profile information details
Risk Assessment:	Home Low \| Corporate Low
Date Discovered:	2/23/2010
Date Added:	2/23/2010
Origin:	N/A
Length:	N/A
Type:	Trojan
Subtype:	Win32
DAT Required:	5901
Removal Instructions

Overview
Virus Characteristics
Removal Instructions

Description

This Binary is Trojan Fake alert. As the name, this Trojan gives fake alerts to the compromised user system. And creates a mirage as if the user system is severely affected which is actually not. Then it will give fake balloon tips when clicked it will ask the compromised user to buy fake antivirus software.

FakeAlert-AVSoft will silently install and run a virus scan on the system. It will falsely claim that it found viruses and will require the user to register the product to clean the system.

Gives fake alert as if the system is severely infected.
Registry modification
Tricks the user and prompts them to buy the fake antivirus software

Indication of Infection

Gives fake alert as if the system is severely infected.
Registry modification

Methods of Infection

Aliases

FakeAlert-AVSoft

View Virus Characteristics

Virus Characteristics

Upon exection the FakeAlert-AVsoft creates the following registry keys:

HKEY_CURRENT_USER\Software\AvScan

The following registry values have been added to the system.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures”]
Data: 01, 00, 00, 00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride"]
Data: local
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer"]
Data: http=127.0.0.1:5555
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes"]
Data: .exe
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation"]
Data: 01, 00, 00, 00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "ymrkrjmo"]
Data: C:\Documents and Settings\%User%\Local Settings\Application Data\rkfvfv\tpidsftav.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "ymrkrjmo"]
Data: C:\Documents and Settings\%User%\Local Settings\Application Data\rkfvfv\tpidsftav.exe

The following registry values modified into the system:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures"]
Old data: yes
New data: no
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable"]
Old data: 00, 00, 00, 00
New data: 01, 00, 00, 00

The following registry keys are deleted in system:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows "AppInit_DLLs"

The following file(s) are dropped/created by the FakeAlert:

c:\Documents and Settings\%User%\Local Settings\Application Data\rkfvfv\tpidsftav.exe

After running for approximately 2 mins, FakeAlert-F begins to show a taskbar pop-up message as shown below.

After displaying this message, it then loads the main program which begins to scan the users infected machine. The main FakeAlert program is set to ‘always on top’ which prevents the user from minimising it or removing it completely.

Once the scan has been completed, it displays the following message which warns the user that his/her machine is infected with Malware.

The FakeAlert attempts to trick the user into purchasing the product by changing the meaning of the yes button and the no button as shown in the screen shot below.

The user is prevented from running any executables and the following message is displayed upon attempted execution:

After the FakeAlert has been left running for a period of time, it loads Internet Explorer and opens www.adu[Removed].com and displays a fake warning message in the button right hand side of the screen.

The following domain(s) may be accessed by FakeAlert-AVSoft:

www.Via[Removed].com
www.Por[Removed].com
www.Por[Removed].org
www.adu[Removed].com

System changes:

These are general defaults for typical path variables. (Although they may differ, these examples are common.)

%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)

%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)

Back To Overview View Removal Instructions

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

View Virus Characteristics

Virus Information

Display Threat Alerts on Your Site

Virus Profile: FakeAlertAVSoft

Description

Indication of Infection

Methods of Infection

Aliases

Virus Characteristics

Virus Information

Indications of Infection:

PRODUCTS

VIRUS SECURITY

SUPPORT

SOCIALIZE WITH US ON

SIGN UP FOR SECURITY NEWS

WE ACCEPT THE FOLLOWING