Virus Profile: FakeAlert-WwSec

Threat Search
Virus Profile information details
Risk Assessment: Home N/A | Corporate N/A
Date Discovered: 3/1/2010
Date Added: 3/1/2010
Origin: N/A
Length: N/A
Type: Trojan
Subtype: -
DAT Required: 5887
Removal Instructions


This Binary is Trojan Fake alert. As the name, this Trojan gives fake alerts to the compromised user system. And creates a mirage as if the user system is severely affected which is actually not. Then it will give fake balloon tips when clicked it will ask the compromised user to buy fake antivirus software.

FakeAlert-WwSec will silently install and run a virus scan on the system. It will falsely claim that it found viruses and will require the user to register the product to clean the system.

Indication of Infection

  • Gives fake alert as if the system is severely infected.
  • Registry modification
  • Methods of Infection

    Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.


    Virus Characteristics

    Upon exection the FakeAlert-WwSec creates the following registry keys:

    • HKEY_USERS\S-1-5-21-602162358-1897051121-839522115-1003_Classes\.exe
    • HKEY_USERS\S-1-5-21-602162358-1897051121-839522115-1003_Classes\secfile
    • HKEY_CURRENT_USER\Software\Classes\.exe
    • HKEY_CURRENT_USER\Software\Classes\secfile
    • HKEY_CLASSES_ROOT\secfile

    The following registry values have been added to the system.

    • [HKEY_CURRENT_USER\Software\Microsoft\Windows "Identity"]
    • Data: 8A, 53, 5C, F6
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile "DisableNotifications"]
    • Data: 01, 00, 00, 00
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile "DoNotAllowExceptions"]
    • Data: 00, 00, 00, 00
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile "EnableFirewall"]
    • Data: 00, 00, 00, 00
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile "DisableNotifications"]
    • Data: 01, 00, 00, 00
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile "DoNotAllowExceptions"]
    • Data: 00, 00, 00, 00
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile "DisableNotifications"]
    • Data: 01, 00, 00, 00
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile "DoNotAllowExceptions"]
    • Data: 00, 00, 00, 00
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile "EnableFirewall"]
    • Data: 00, 00, 00, 00
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile "DisableNotifications"]
    • Data: 01, 00, 00, 00
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile "DoNotAllowExceptions"]
    • Data: 00, 00, 00, 00

    The following registry values modified into the system:

    • [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)"]
    • New data: "C:\Documents and Settings\%User%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Intern
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride"]
    • New data: 01, 00, 00, 00
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride"]
    • New data: 01, 00, 00, 00
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess "Start"]
    • New data: 04, 00, 00, 00
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Epoch "Epoch"]
    • New data: 2D, 00, 00, 00
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess "Start"]
    • New data: 04, 00, 00, 00
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch "Epoch"]
    • New data: 2D, 00, 00, 00

    The following file(s) are dropped/created by the FakeAlert:

    • c:\Documents and Settings\%User%\Local Settings\Application Data\av.exe (Size: 176,128 bytes)
    • c:\Documents and Settings\%User%\Local Settings\Application Data\B66D8 (Size: 7,296 bytes)

    The FakeAlert loads a Security Center as show below, which informs the user that they do not have a Firewall or Anti-Virus. This is a fake Security Center which attempts to trick the user into purchasing the Fake Scanning software.

    Once this Security Center has been loaded, the FakeAlert then begins a fake scan of the users hard disk drive and informs the user that their machine is infected with several malware files.

    Once the fake scan is complete the following screen is displayed and falsely informs the user that their machine is infected and attempts to trick them into purchasing the software. The FakeAlert switches the position of the “NO” button in a attempt to trick the user into clicking on “YES” to purchase the Fake Alert software.

    Once the user closes the Fake Alert, it continually shows a taskbar pop-up message which falsely informs the user that their machine is under attack and needs to be protected.

    The following domain(s) may be accessed by the Malware:

    • antivirus-[removed].com
    • livewindowsant[removed].com
    • proantivir[removed].com
    • pro-antivir[removed].com
    • antivirus[removed].com
    • microa-ntvir[removed].com
    • antivirus-[removed].com
    • windows-[removed].com
    • spyware-destroy[removed].com

    System changes:

    These are general defaults for typical path variables. (Although they may differ, these examples are common.)

    %WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)

    %SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)


    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).


    PC Infected? Get Expert Help

    Virus Removal Service

    Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!