Trojan.FakeAlert.ZV
MEDIUM
VERY LOW
19,968 13, 312
(Hoax.Win32.Renos.eas
Hoax.Win32.Agent.ej
Misc/FakeAlert)
Symptoms
A blinking shield icon appears in the system tray and it sometimes displays a message that you are infected with several spyware applications.
If you click the shield icon, it opens the web page of a rogue antivirus application (antispycheck).
An add/remove entry named Windows Safety Alert is created to trick the user that this might be a fair application.
Removal instructions:
zgyhw.dll is injected in explorer.exe, so first we need to remove the registry entries mentioned above, restart, and only then we can delete the malicious file. Also note that the file might have the "hidden" attribute.
Analyzed By
Deac Razvan-Ioan, virus researcher
Technical Description:
In the infection process an exectuable drops a dll to %windir%\System32\zgyhw.dll. This dll is then registered to load at startup using the following registry keys:
HKLM\Software\Classes\CLSID\{2f199d0e-f3e7-41a7-a060-816c24cceea0}\InProcServer32\(Default)
"C:\WINNT\system32\zgyhw.dll"
HKLM\Software\Classes\CLSID\{2f199d0e-f3e7-41a7-a060-816c24cceea0}\InProcServer32\ThreadingModel
"Apartment"
Another registry key is used to add an add/remove entry. Using this entry only removes the executable that dropped zgyhw.dll, which, by this point, is useless anyway.
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert\DisplayName
"Windows Safety Alert"
SHARE
THIS ON