My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.FakeAv.QF

MEDIUM
LOW
about 1 MB

Symptoms

1. A rogue antivirus program called "Total Security 2009" that runs at system startup.
2. New applications are killed with the message "Application cannot be executed. The file [File Name] is infected. Please activate your antivirus software."
3.  A process with a random 8-digit name (such as 11705314)
4. The file "c:\Documents and Settings\All Users\Application Data\[Rnd8]\[Rnd8].exe" where [Rnd8] are the 8 random digits
 at point (3)
5. A desktop shortcut and a Start menu entry are added by some variants.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Horea Coroiu, virus researcher

Technical Description:

This is a generic detection for a series of Rogue AV programs called "Total Security 2009" (a play on one of Bitdefender's product names).
When first run, the malware copies itself to c:\Documents and Settings\All Users\Application Data\[Rnd8]\[Rnd8].exe and executes a batch script to delete the original file.
A registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run\[Rnd8] is created to ensure that it runs at system startup.
A pseudo-scan starts and the same hardcoded detections are presented to the user, regardless of the state of the system.
The user needs to pay in order to clean Scan finishedthe so called "infections".
.
"Total Security 2009" is quite aggressive in forcing the user to register. New processes are declared to be infected and killed instantly.