For Consumer

Virus Profile: Generic FakeAlert.fi

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 11/9/2011
Date Added: 11/9/2011
Origin: Unknown
Length: Varies
Type: Trojan
Subtype: Win32
DAT Required: 6525
Removal Instructions
   
 
 
   

Description

This is a Trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

Kaspersky - Trojan-FakeAV.Win32.FakeRecovery.ah
nod32  - Win32/Kryptik.VAL trojan (variant)
avast  - Win32:FakeSysdefs-A
avira  - TR/FakeAV.anf

Indication of Infection

Presence of above mentioned files
Presence unexpected network connection to the above mentioned URL

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.
   

Virus Characteristics

“Generic FakeAlert.fi" is a malicious Trojan that may represent security risk for the compromised system and/or its network environment.
FakeAlert families are commonly found to be installed by other Trojan downloader. These Trojans usually arrive as e-mail attachments or via drive-by-download attacks exploiting vulnerabilities in Windows and third-party applications.

Upon execution, Trojan connects to the following URL.

  • wiki-72[Removed]66.com
  • wig[Removed]beg.com
  • wil[Removed]an.com
  • owd[Removed]ralub.com
  • y[Removed]ogreat.com
  • thegr[Removed]b.com
  • wayz[Removed]den.com

After execution the Trojan displays the following Fake Alert messages:
 


 
 
 


 
 
The following files have been added to the system by the Trojan

  • %AllUsersProfile%\Application Data\F5MxUAtVacai3YaV
  • %AllUsersProfile%\Application Data\F5MxUAtVacai3YaV.exe
  • %AppData%\Microsoft\Internet Explorer\Quick Launch\System Restore.lnk
  • %UserProfile%\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
  • %UserProfile%\Start Menu\Programs\System Restore\System Restore.lnk
  • %UserProfile%\Start Menu\Programs\System Restore\Uninstall System Restore.lnk
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).