Content

FakeAlert-FQ

Type
Trojan
SubType
Win32
Discovery Date
07/17/2009
Length
Varies
Minimum DAT
5679 (07/17/2009)
Updated DAT
5937 (03/31/2010)
Minimum Engine
5.2.00
Description Added
07/17/2009
Description Modified
01/10/2010 10:54 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

When executed, the Trojan prompts the user to download a Fake Anti Malware

Once the user clicks on download button, the Trojan downloads fake Anti Malware which warns user, that the system is infected and tricks the compromised user to purchase the fake anti-malware online.

Upon execution, the Trojan copies itself into the following location

    • %Temp%\settdebugx.exe

And downloads the following files
    • %Temp%\wscsvc32.exe [ Detected as FakeAlert-FQ]
    • %Temp%\dhdhtrdhdrtr5y
    • %ProgramFiles%\Malware Defense\mdext.dll [ Detected as FakeAlert-FQ]
    • %ProgramFiles%\Malware Defense\uninstall.exe [ Detected as FakeAlert-FQ]
    • %ProgramFiles%\Malware Defense\mdefense.exe [Detected as FakeAlert-FQ]

The following registry keys have been added to the system.
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense]
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Malware Defense]
    • [HKEY_USERS\S-1-5-21-1454471165-926492609-839522115-500\Software\Microsoft\Windows\CurrentVersion\Controls Folder]
    • [HKEY_USERS\S-1-5-21-1454471165-926492609-839522115-500\Software\Microsoft\GDIPlus]

The following registry values have been added.
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\]
      "InprocServer32\:" = "C:\PROGRA~1\MALWAR~1\mdext.dll"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\InprocServer32\]
      "ThreadingModel:" = "Apartment"

The Trojan registers the run entry to execute itself every time when the windows boots.
    • [HKEY_USERS\S-1-5-21-1004336348-1326574676-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run\]
      "settdebugx.exe: " = "C:\DOCUME~1\Naveen\LOCALS~1\Temp\settdebugx.exe"
    • [HKEY_USERS\S-1-5-21-1004336348-1326574676-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run\]
      "Malware Defense:" = "C:\Program Files\Malware Defense\mdefense.exe"

The following registry values have been modified.
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\]
      "Start:" = "0x00000004"
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\]
      "Start:" = "0x00000004"

The above mentioned registry entries confirm that, the Trojan disables Windows Security Center Service, instead a fake Windows Security Center will be displayed which will direct the user to purchase a fake anti-malware product.

When executed, the Trojan connects to the following Sites through a HTTP Port 80.
    • www.edite[removed].cn
    • www.copysc[removed].cn
    • www.summarysc[removed].cn
    • www.onlinesecu[removed].cn

Also, it creates the following Mutex objects
    • 01d459e5-e8c8-4483-acf0-92272daf7309
    • 6da54105-146e-4eea-9b09-b1ca3a54b726

[Where %Temp% is the Temporary Directory - for example C:\Documents and Settings\Administrator\Local Settings\Temp, and %ProgramFiles% is C:\Program Files]

Symptoms

    • Presence of above mentioned files and registry keys
    • Presence of unexpected network connection to the above mentioned Sites.
    • Presence of above mentioned Mutex.

 

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

 

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

Similar to other malwares of this family, FakeAlert-FQ shows a fake warning message, alarming the user that their machine is infected or at risk. The intention behind all the fake messages is drive users to buy the advertised antispyware product.

File Information

  • MD5 - 02168DD363E40B2283E19207E2CCDFAE
  • SHA - 12dab14d3205c3ebb8c2ac325a1bfad04fe02681
  • File Size - 712704 bytes

Aliases
  • Kaspersky - Trojan.Win32.FraudPack.ajsj
  • Ikarus - Trojan.Win32.FakeAV
  • Comodo - TrojWare.Win32.Trojan.Agent.Gen

Characteristics

Characteristics -

When executed, the Trojan prompts the user to download a Fake Anti Malware

Once the user clicks on download button, the Trojan downloads fake Anti Malware which warns user, that the system is infected and tricks the compromised user to purchase the fake anti-malware online.

Upon execution, the Trojan copies itself into the following location

    • %Temp%\settdebugx.exe

And downloads the following files
    • %Temp%\wscsvc32.exe [ Detected as FakeAlert-FQ]
    • %Temp%\dhdhtrdhdrtr5y
    • %ProgramFiles%\Malware Defense\mdext.dll [ Detected as FakeAlert-FQ]
    • %ProgramFiles%\Malware Defense\uninstall.exe [ Detected as FakeAlert-FQ]
    • %ProgramFiles%\Malware Defense\mdefense.exe [Detected as FakeAlert-FQ]

The following registry keys have been added to the system.
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense]
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Malware Defense]
    • [HKEY_USERS\S-1-5-21-1454471165-926492609-839522115-500\Software\Microsoft\Windows\CurrentVersion\Controls Folder]
    • [HKEY_USERS\S-1-5-21-1454471165-926492609-839522115-500\Software\Microsoft\GDIPlus]

The following registry values have been added.
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\]
      "InprocServer32\:" = "C:\PROGRA~1\MALWAR~1\mdext.dll"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\InprocServer32\]
      "ThreadingModel:" = "Apartment"

The Trojan registers the run entry to execute itself every time when the windows boots.
    • [HKEY_USERS\S-1-5-21-1004336348-1326574676-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run\]
      "settdebugx.exe: " = "C:\DOCUME~1\Naveen\LOCALS~1\Temp\settdebugx.exe"
    • [HKEY_USERS\S-1-5-21-1004336348-1326574676-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run\]
      "Malware Defense:" = "C:\Program Files\Malware Defense\mdefense.exe"

The following registry values have been modified.
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\]
      "Start:" = "0x00000004"
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\]
      "Start:" = "0x00000004"

The above mentioned registry entries confirm that, the Trojan disables Windows Security Center Service, instead a fake Windows Security Center will be displayed which will direct the user to purchase a fake anti-malware product.

When executed, the Trojan connects to the following Sites through a HTTP Port 80.
    • www.edite[removed].cn
    • www.copysc[removed].cn
    • www.summarysc[removed].cn
    • www.onlinesecu[removed].cn

Also, it creates the following Mutex objects
    • 01d459e5-e8c8-4483-acf0-92272daf7309
    • 6da54105-146e-4eea-9b09-b1ca3a54b726

[Where %Temp% is the Temporary Directory - for example C:\Documents and Settings\Administrator\Local Settings\Temp, and %ProgramFiles% is C:\Program Files]

Symptoms

Symptoms -

    • Presence of above mentioned files and registry keys
    • Presence of unexpected network connection to the above mentioned Sites.
    • Presence of above mentioned Mutex.

 

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

 

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A