Trojan.FakeAlert.AAH

( Backdoor.Win32.Frauder.o, W32/FakeAle.CO!tr, Troj/FakeAle-FK, BDS/Frauder.O, Trojan Antivirus2008.DO )

SYMPTOMS:

• The wallpaper is changed without user consent and warnings of a possible virus infection, constraining him to buy a false removal software.

 

• Here is a screenshot with the new wallpaper that warns the user of two virus detections on the system.

TECHNICAL DESCRIPTION:

When the process starts, it drops in %system% folder three files with random names. One of them is a .bmp file that is set as wallpaper, another one is a .scr and the last one is a executable file that is a copy of the virus.Then it is deletes itself from the original location. After that, it downloads a software named “Antivirus XP 2008”, that is installed in a random named folder from %programfiles% folder. After being installed, it starts scanning the system and warns about  false infections detected on the system, recommending him to buy o license to get clean.

 

            One of the dropped or downloaded files may be added on the following registry subkeys in order to ensure that the malware is executed at every system start-up (there could be too values of the following form) :

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “[random-value-name]”

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

Barat Marius, virus researcher