For Home

Virus Profile: FakeAlert-MY.a

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 4/1/2010
Date Added: 4/1/2010
Origin: N/A
Length: variable
Type: Trojan
Subtype: Settings Change
DAT Required: 5938
Removal Instructions
   
 
 
   

Description

This is detection for a Trojan that displays misleading fake alerts to entice the user into buying a product to "repair" malware problems. This Trojan may masquerade its malicious behavior, and victims are likely to have installed it thinking it is an innocent Anti-Virus program.

Indication of Infection

On the infected machine when the user attempts to open the web browser the malware could block the browser from opening , and pop a screen like the one shown below. Upon closing this screen the victim can access the browser.

 

 

  • Presence of previously mentioned registry entries
  • Presence of previously mentioned files
  • Presence of unexpected network connections to previously mentioned domains

Methods of Infection

Trojan does not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include spam emails, IRC, P2P networks, newsgroup postings, etc.
   

Virus Characteristics

The Trojan displays a fake security center window providing the option to bring up the fake scanning screen.

 

Fake AV scanner screen:

 


The malware on execution creates the following files:

  • C:\Documents and Settings\All Users\Application Data\80AsEM
  • <%userprofile%>\Local Settings\Application Data\80AsEM
  • <%userprofile%>\Local Settings\Application Data\ave.exe
  • <%temp%>\80AsEM
  • <%userprofile%>\Templates\80AsEM

Note:
%UserProfile% is a variable location and refers to the user's profile folder.

The malware creates or modifies the following registry entries:

  • HKEY_USERS\<USER>_Classes\.exe\shell\open\command
    "Default" = “<%userprofile%>\Local Settings\Application Data\ave.exe” /START "%1" %*
  • HKEY_USERS\<USER>_Classes \secfile\shell\open\command
    "Default" = “<%userprofile%>\Local Settings\Application Data\ave.exe” /START "%1" %*
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command
    "Default" = “<%userprofile%>\Local Settings\Application Data\ave.exe” /START "%1" %*
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command
    "Default" = “<%userprofile%>\Local Settings\Application Data\ave.exe” /START "%1" %*
  • HKEY_CLASSES_ROOT\.exe\shell\open\command
    "Default" = “<%userprofile%>\Local Settings\Application Data\ave.exe” /START "%1" %*
  • HKEY_CLASSES_ROOT\secfile\shell\open\command
    "Default" = “<%userprofile%>\Local Settings\Application Data\ave.exe” /START "%1" %*
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
    "DisableNotifications" = “01, 00, 00, 00”
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
    "DoNotAllowExceptions" = “00, 00, 00, 00”
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
    "EnableFirewall" = “00, 00, 00, 00”
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    "DisableNotifications" = “01, 00, 00, 00”
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    "DoNotAllowExceptions" = “00, 00, 00, 00”
  • HKEY_CLASSES_ROOT\.exe
    "(Default)" = “secfile”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "<%userprofile%>\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    "AntiVirusDisableNotify" = “01, 00, 00, 00”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    "AntiVirusOverride" = “01, 00, 00, 00”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    "FirewallDisableNotify" = “01, 00, 00, 00”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    "FirewallOverride" = “01, 00, 00, 00”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    "UpdatesDisableNotify" = “01, 00, 00, 00”

The malware connects to the below mentioned site when the victim tries to register the fake security product.

  • generic.go<REMOVED>.com
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).