Content

FakeAlert-SpyKiller

Type
Trojan
SubType
Win32
Discovery Date
03/25/2008
Length
Varies
Minimum DAT
5259 (03/25/2008)
Updated DAT
5489 (01/08/2009)
Minimum Engine
5.2.00
Description Added
03/25/2008
Description Modified
03/03/2009 11:00 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Upon the execution, the desktop background of the compromised machine is changed

The following fake alert messages will be displayed by this malware

 

 

 

When the user clicks on the fake alert message the malware covertly installs the complete SpyKillerPro which is a fake security product

 

 

On completing the fake scanning process the malware displays a fake warning message as seen in the below picture

 

 

When the user clicks on the “Register Now” button on the above message the malware will display a window to enter the serial number, which will in turn redirect the user for the payment

 

 

Following folders and files were created by the malware on execution

  • C:\Documents and Settings\Start Menu\Programs\SpyKillerPro
  • C:\Program Files\SpyKillerPro
  • C:\Program Files\SpyKillerPro\Quarantine
  • C:\Program Files\SpyKillerPro\SpyKillerPro.exe
  • C:\Program Files\SpyKillerPro\SpyKillerProUpdate.exe
  • C:\Program Files\SpyKillerPro\helper.sys
  • % Temp%\dropper1008.exe
  • %Temp%\Local Settings\Temp\4531.exe

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP)

 

Following are the new registry keys added

  • HKEY_CURRENT_USER\Software\InterSoftware
  • HKEY_CURRENT_USER\Software\SpyKillerPro
  • HKEY_LOCAL_MACHINE\SOFTWARE\SpyKillerPro
  • HKEY_CLASSES_ROOT\AboutBlankChanger.AboutBlank
  • The malware creates various Browser Helper Object entries
  • The malware also creates certain service entries

Following are the new registry keys added

  • This malware changes the registry values in an attempt to load itself on system startup under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • The malware also disables the access to task manager, registry editor and the option to change the wallpaper by adding the values under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies

Following are the modified data of the registry
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General "Wallpaper" = "%APPDATA%\~tmp.html"
  • The malware also disables some notification options under security center HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center

Symptoms

  • Appearance of the above mentioned fake error messages and desktop hijack
  • Presence of the afore mentioned folders, files and registry traces
  • Access to the windows task manager will be disabled (taskmgr.exe)
  • Access to Windows registry editor will be displayed (regedit.exe, regedit32.exe)
  • Option to change the desktop wallpaper will be disabled

Method of Infection

This Trojan may masquerade its malicious behavior, and victims are likely to have this installed thinking it is a legitimate security product.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

FakeAlert-SpyKiller shows a fake warning message, alarming the user that their machine is infected or at risk. The intention behind all the fake messages is to drive users to download the advertised antispyware product.

Characteristics

Characteristics -

Upon the execution, the desktop background of the compromised machine is changed

The following fake alert messages will be displayed by this malware

 

 

 

When the user clicks on the fake alert message the malware covertly installs the complete SpyKillerPro which is a fake security product

 

 

On completing the fake scanning process the malware displays a fake warning message as seen in the below picture

 

 

When the user clicks on the “Register Now” button on the above message the malware will display a window to enter the serial number, which will in turn redirect the user for the payment

 

 

Following folders and files were created by the malware on execution

  • C:\Documents and Settings\Start Menu\Programs\SpyKillerPro
  • C:\Program Files\SpyKillerPro
  • C:\Program Files\SpyKillerPro\Quarantine
  • C:\Program Files\SpyKillerPro\SpyKillerPro.exe
  • C:\Program Files\SpyKillerPro\SpyKillerProUpdate.exe
  • C:\Program Files\SpyKillerPro\helper.sys
  • % Temp%\dropper1008.exe
  • %Temp%\Local Settings\Temp\4531.exe

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP)

 

Following are the new registry keys added

  • HKEY_CURRENT_USER\Software\InterSoftware
  • HKEY_CURRENT_USER\Software\SpyKillerPro
  • HKEY_LOCAL_MACHINE\SOFTWARE\SpyKillerPro
  • HKEY_CLASSES_ROOT\AboutBlankChanger.AboutBlank
  • The malware creates various Browser Helper Object entries
  • The malware also creates certain service entries

Following are the new registry keys added

  • This malware changes the registry values in an attempt to load itself on system startup under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • The malware also disables the access to task manager, registry editor and the option to change the wallpaper by adding the values under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies

Following are the modified data of the registry
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General "Wallpaper" = "%APPDATA%\~tmp.html"
  • The malware also disables some notification options under security center HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center

Symptoms

Symptoms -

  • Appearance of the above mentioned fake error messages and desktop hijack
  • Presence of the afore mentioned folders, files and registry traces
  • Access to the windows task manager will be disabled (taskmgr.exe)
  • Access to Windows registry editor will be displayed (regedit.exe, regedit32.exe)
  • Option to change the desktop wallpaper will be disabled

Method of Infection

Method of Infection -

This Trojan may masquerade its malicious behavior, and victims are likely to have this installed thinking it is a legitimate security product.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A