Trojan.FakeAlert.YF
MEDIUM
MEDIUM
150kB
(Trojan.Downloader.Fakealert.R)
Symptoms
An image appears on the desktop containing the following text:
Warning!
Spyware detected on your computer!
Install an antivirus or spyware remover to clean your computer.
Warning!
Spyware detected on your computer!
Install an antivirus or spyware remover to clean your computer.
Removal instructions:
Please let BitDefender disinfect your files.
Analyzed By
Marusceac Claudiu Florin, virus researcher
Technical Description:
Description:Trojan.FakeAlert.YF is a trojan that tricks the user into installing rogue security products.
Method of Infection:
When executed, Trojan.FakeAlert.YF drops three files in the %System% directory:
phc1soj0enfp.bmp
blphc1soj0enfp.scr
lphc1soj0enfp.exe
with names composed of random letters and numbers.
It adds the following registry entry to automatically execute itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\lphc1soj0enfp = "lphc1soj0enfp.exe"
The trojan also creates and executes a VBS file in the %Temp% folder, with the filename ".tt2.tmp.vbs".
The number is random.
The VBS file sets the current infected system setup as the system's restore point.
Then Trojan.FakeAlert.YF executes the screen saver (Sysinternals Bluescreen) designed to mislead the user into believing their system has crashed:
Payload:
Changes the desktop background color to blue:
HKCU\Control Panel\Colors\Background = 0 0 255
Changes the wallpaper position to centered:
HKCU\Control Panel\Desktop\WallpaperStyle = 0
HKCU\Control Panel\Desktop\TileWallpaper = 0
Sets the dropped (bitmap image) file as the desktop wallpaper:
HKCU\Control Panel\Desktop\Wallpaper = "%System%\phc1soj0enfp.bmp"
HKCU\Control Panel\Desktop\OriginalWallpaper = "%System%\phc1soj0enfp.bmp"
HKCU\Control Panel\Desktop\ConvertedWallpaper = "%System%\phc1soj0enfp.bmp"
This image contains the text mentioned on symptoms.
Executes the screen saver file:
HKCU\Control Panel\Desktop\SCRNSAVE.EXE = "%System%\blphc1soj0enfp.scr"
Activates the screen saver:
HKCU\Control Panel\Desktop\ScreenSaveActive = 1
Sets the system wait time to 600 seconds (10 minutes):
HKCU\Control Panel\Desktop\ScreenSaveTimeOut = 600
Sets a registry key to execute the screen saver without displaying the EULA:
HKCU\Software\Sysinternals\Bluescreen Screen Saver\EulaAccepted = 1
Prevents user from selecting the Background or Screen Saver tabs from Display in the Control Panel.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage = 1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage = 1
Downloads and executes other trojan files:
The trojan contacts www.av-[removed]-2008.com and presents.avxp[removed].com which host rogue antispyware products, and downloads the alleged security products in a very insidious way.
The setup applications are hidden in an encrypted form inside gif images, like the one shown below.
After downloading the image, it extracts the obfuscated code, and executes it, which will keep nagging the victim about infections that do not exist on his system.
This technique is used to bypass any firewall and gateway settings.
Only active monitoring of the local filesystem could detect an imminent infection.
SHARE
THIS ON