Trojan.FakeAlert.ABZ
HIGH
HIGH
aprox 15kb
(Trojan.Win32.Buzus.ujy, W32/Dloadr.BQY!tr, Win32/TrojanDownloader.FakeAlert.HK, Troj/Agent-HNJ, FakeAlert-AB)
Symptoms
This piece of malware downloads a fake antivirus software called "XP Antivirus" which is a "dynasty" of rogue antivirus software that infects computers trough different waves of malicious campaings.
Here is one sign that the infection occured ( this picture appears on the desktop ) :
Also, a window appears containing "Antivirus XP 2008" EULA which has only one button that says "Agree and install" with no posibility of canceling or closing the window.
Here is one sign that the infection occured ( this picture appears on the desktop ) :
Also, a window appears containing "Antivirus XP 2008" EULA which has only one button that says "Agree and install" with no posibility of canceling or closing the window.
Removal instructions:
Please let BitDefender disinfect your files.
Analyzed By
Daniel Chipiristeanu, virus researcher
Technical Description:
As the name says the malware displays fake alerts and pushes a rogue antivirus software (XP Antivirus) onto the affected computer.It creates the following files (I'll give a hint how the files are usually named and an example) :
* %Program Files%rhc*
* %Program Files%rhc*\MFC71.dll
* %Program Files%rhc*\MFC71ENU.DLL
* %Program Files%rhc*\Uninstall.exe
* %Program Files%rhc*\database.dat
* %Program Files%rhc*\license.txt
* %Program Files%rhc*\msvcp71.dll
* %Program Files%rhc*\msvcr71.dll
* %Program Files%rhc*\rhc*.exe
* %Program Files%rhc*\rhc*.exe.local
* %system%\blp*.scr
* %system%\lphc*.exe detected as Trojan.FakeAlert.ADA
* %system%\phc*.bmp
* %system%\pph*.exe detected as Trojan.FakeRemoval.A
* %system%\ttkyii.dll detected as Trojan.FakeAlert.ABZ
** Examples : for "rhc*" -> "rhcv2gj0e321" , for "lph*" -> "lphcr2gj0e321" , for "pph*" -> "pphcr2gj0e321" , for "blp*" -> "blphcr2gj0e321" , for "phc*" -> "phcr2gj0e321" etc.
The malware uses deceitful practices in order to trick the user into buying a rogue antivirus (XP Antivirus), by giving false detection on the so called "scan". It also changes the wallpaper with an alarm of infection and sets a screensaver (from SysInternals - bluescreen.scr) which can seem frightening to the user. Ironically the costumer is infected, but not with the fake detection given by the scaner.
It uses these registry values to run itself on startup :
- In this key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" it creates the value "lph*" ("lphcpuhj0e535") that points to "%system%\lph*.exe" ("%system%\lphcpuhj0e535.exe")
- "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" with the value "SMr*"("SMrhctuhj0e535") which points to "%programfiles%\rhc*" ("%programfiles%\rhctuhj0e535\rhctuhj0e535.exe")
It changes these registry settings, not allowing the user to change the wallpaper or screensaver :
- In the "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" key, changing the value "NoDispBackgroundPage" to "1".
- In the same key, this value - "NoDispScrSavPage" to "1".
SHARE
THIS ON