McAfee > Theat Center > Virus Detail Page

Overview

This Binary is Trojan Fake alert. As the name, this Trojan gives fake alerts to the compromised user system. And creates a mirage as if the user system is severely affected which is actually not. Then it will give fake balloon tips when clicked it will ask the compromised user to buy fake antivirus software.

FakeAlert-MA will silently install and run a virus scan on the system. It will falsely claim that it found viruses and will require the user to register the product to clean the system.

Characteristics

Upon exection the FakeAlert-MA creates the following registry keys:

• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-security-essentials.com
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\download-soft-package.com
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\download-software-package.com
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\download-software-package.com
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\is-software-download.com
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
• HKEY_CURRENT_USER\Software\SE2010

The following registry values have been added to the system.

• [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter]
• "Enabled" = 00, 00, 00, 00
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer]
• "EnableAutoTray" = 00, 00, 00, 00
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
• "NoActiveDesktopChanges" = 01, 00, 00, 00
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
• "NoSetActiveDesktop" = 01, 00, 00, 00
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
• "DisableTaskMgr" = 01, 00, 00, 00
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
• "Security essentials 2010" = C:\Program Files\Securityessentials2010\SE2010.exe
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop]
• "NoChangingWallpaper" = 01, 00, 00, 00
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
• "NoActiveDesktopChanges" = 01, 00, 00, 00
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
• "NoSetActiveDesktop" = 01, 00, 00, 00
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
• "EnableLUA" = 00, 00, 00, 00
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• "smss32.exe" = C:\WINDOWS\system32\smss32.exe

The following registry values modified into the system:

• [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General "Wallpaper"]
• %SystemRoot%\system32\warnings.html
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit"]
• C:\WINDOWS\system32\winlogon32.exe

The following file(s) are dropped/created by the FakeAlert:

• c:\Documents and Settings\%User%\Application Data\Microsoft\Internet Explorer\Quick Launch\Security essentials 2010.lnk (788 bytes)
• c:\Documents and Settings\%User%\Desktop\Security essentials 2010.lnk (788 bytes)
• c:\Documents and Settings\%User%\Start Menu\Security essentials 2010.lnk ( 770 bytes)
• c:\Program Files\Securityessentials2010\SE2010.exe (1,496,576 bytes)
• c:\%WinDir%\%SystemDir%\41.exe (0 bytes)
• c:\%WinDir%\%SystemDir%\helpers32.dll (24,576 bytes)
• c:\%WinDir%\%SystemDir%\smss32.exe (43,520 bytes)
• c:\%WinDir%\%SystemDir%\warnings.html (4,278 bytes)
• c:\%WinDir%\%SystemDir%\winlogon32.exe (43,520 bytes)

The background is changed and displays the message shown below (note. The background colour is random and will change every time the machine is infected) the background colour of the icon(s) is changed to red.

Once the user clicks on the “OK” button, the main program is loaded and begins a fake scan of the hard disk drive.

The user can close the FakeAlert, however it will continue to show taskbar pop-up messages as well as update messages like the ones shown below:

When the compromised user tries to open any application(s) it shows a warning message/balloon tip that the file is infected and cannot be executed and fakes the user to buy the FakeAlert as shown bellow:

The following domain(s) may be accessed by the Malware:

• For-su[Removed]-se.com
• 88.80.[Removed]9
• Winter-sm[Removed].com

Symptoms

• Gives fake alert as if the system is severely infected.
• Registry modification
• Tricks the user and prompts them to buy the fake antivirus software

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This Binary is Trojan Fake alert. As the name, this Trojan gives fake alerts to the compromised user system. And creates a mirage as if the user system is severely affected which is actually not. Then it will give fake balloon tips when clicked it will ask the compromised user to buy fake antivirus software.

FakeAlert-MA will silently install and run a virus scan on the system. It will falsely claim that it found viruses and will require the user to register the product to clean the system.

Characteristics

Characteristics -

Upon exection the FakeAlert-MA creates the following registry keys:

• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-security-essentials.com
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\download-soft-package.com
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\download-software-package.com
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\download-software-package.com
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\is-software-download.com
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
• HKEY_CURRENT_USER\Software\SE2010

The following registry values have been added to the system.

• [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter]
• "Enabled" = 00, 00, 00, 00
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer]
• "EnableAutoTray" = 00, 00, 00, 00
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
• "NoActiveDesktopChanges" = 01, 00, 00, 00
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
• "NoSetActiveDesktop" = 01, 00, 00, 00
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
• "DisableTaskMgr" = 01, 00, 00, 00
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
• "Security essentials 2010" = C:\Program Files\Securityessentials2010\SE2010.exe
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop]
• "NoChangingWallpaper" = 01, 00, 00, 00
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
• "NoActiveDesktopChanges" = 01, 00, 00, 00
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
• "NoSetActiveDesktop" = 01, 00, 00, 00
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
• "EnableLUA" = 00, 00, 00, 00
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• "smss32.exe" = C:\WINDOWS\system32\smss32.exe

The following registry values modified into the system:

• [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General "Wallpaper"]
• %SystemRoot%\system32\warnings.html
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit"]
• C:\WINDOWS\system32\winlogon32.exe

The following file(s) are dropped/created by the FakeAlert:

• c:\Documents and Settings\%User%\Application Data\Microsoft\Internet Explorer\Quick Launch\Security essentials 2010.lnk (788 bytes)
• c:\Documents and Settings\%User%\Desktop\Security essentials 2010.lnk (788 bytes)
• c:\Documents and Settings\%User%\Start Menu\Security essentials 2010.lnk ( 770 bytes)
• c:\Program Files\Securityessentials2010\SE2010.exe (1,496,576 bytes)
• c:\%WinDir%\%SystemDir%\41.exe (0 bytes)
• c:\%WinDir%\%SystemDir%\helpers32.dll (24,576 bytes)
• c:\%WinDir%\%SystemDir%\smss32.exe (43,520 bytes)
• c:\%WinDir%\%SystemDir%\warnings.html (4,278 bytes)
• c:\%WinDir%\%SystemDir%\winlogon32.exe (43,520 bytes)

The background is changed and displays the message shown below (note. The background colour is random and will change every time the machine is infected) the background colour of the icon(s) is changed to red.

Once the user clicks on the “OK” button, the main program is loaded and begins a fake scan of the hard disk drive.

The user can close the FakeAlert, however it will continue to show taskbar pop-up messages as well as update messages like the ones shown below:

When the compromised user tries to open any application(s) it shows a warning message/balloon tip that the file is infected and cannot be executed and fakes the user to buy the FakeAlert as shown bellow:

The following domain(s) may be accessed by the Malware:

• For-su[Removed]-se.com
• 88.80.[Removed]9
• Winter-sm[Removed].com

Symptoms

Symptoms -

• Gives fake alert as if the system is severely infected.
• Registry modification
• Tricks the user and prompts them to buy the fake antivirus software

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A