SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.FakeAlert.ABZ

HIGH
HIGH
aprox 15kb
(Trojan.Win32.Buzus.ujy, W32/Dloadr.BQY!tr, Win32/TrojanDownloader.FakeAlert.HK, Troj/Agent-HNJ, FakeAlert-AB)

Symptoms

This piece of malware downloads a fake antivirus software called "XP Antivirus" which is a "dynasty" of rogue antivirus software that infects computers trough different waves of malicious campaings.

Here is one sign that the infection occured ( this picture appears on the desktop ) :


Also, a window appears containing "Antivirus XP 2008" EULA which has only one button that says "Agree and install" with no posibility of canceling or closing the window.


Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Daniel Chipiristeanu, virus researcher

Technical Description:

As the name says the malware displays fake alerts and pushes a rogue antivirus software (XP Antivirus)  onto the affected computer.

It creates the following files (I'll give a hint how the files are usually named and an example) :

 * %Program Files%rhc*
 * %Program Files%rhc*\MFC71.dll       
 * %Program Files%rhc*\MFC71ENU.DLL       
 * %Program Files%rhc*\Uninstall.exe       
 * %Program Files%rhc*\database.dat       
 * %Program Files%rhc*\license.txt       
 * %Program Files%rhc*\msvcp71.dll       
 * %Program Files%rhc*\msvcr71.dll       
 * %Program Files%rhc*\rhc*.exe       
 * %Program Files%rhc*\rhc*.exe.local       
 * %system%\blp*.scr       
 * %system%\lphc*.exe  detected as Trojan.FakeAlert.ADA    
 * %system%\phc*.bmp       
 * %system%\pph*.exe   detected as Trojan.FakeRemoval.A    
 * %system%\ttkyii.dll detected as Trojan.FakeAlert.ABZ

** Examples : for "rhc*" -> "rhcv2gj0e321" , for "lph*" -> "lphcr2gj0e321" , for "pph*" -> "pphcr2gj0e321" , for "blp*" -> "blphcr2gj0e321" , for "phc*" -> "phcr2gj0e321" etc.

The malware uses deceitful practices in order to trick the user into buying a rogue antivirus (XP Antivirus), by giving false detection on the so called "scan". It also changes the wallpaper with an alarm of infection and sets a screensaver (from SysInternals - bluescreen.scr) which can seem frightening to the user. Ironically the costumer is infected, but not with the fake detection given by the scaner.


It uses these registry values to run itself on startup :
  1. In this key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" it creates the value "lph*" ("lphcpuhj0e535") that points to "%system%\lph*.exe" ("%system%\lphcpuhj0e535.exe")   
  2. "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" with the value "SMr*"("SMrhctuhj0e535") which points to "%programfiles%\rhc*" ("%programfiles%\rhctuhj0e535\rhctuhj0e535.exe")

It changes these registry settings, not allowing the user to change the wallpaper or screensaver :
  1. In the "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" key, changing the value "NoDispBackgroundPage" to "1".
  2. In the same key, this value - "NoDispScrSavPage" to "1".