Trojan.Downloader.FakeAlert.DK

SYMPTOMS:

- presence of the files Documents and Settings\[user-name]\Application Data\seres.exe and Documents and Settings\[user-name]\Application Data\svcst.exe

- presence of registry keys pointing to the files described above: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\mserv and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\svchost

- scareware messages popping up on the screen

TECHNICAL DESCRIPTION:

This is a malware that has only one purpose: downloading fake-AV applications on the victims computer. When executed, it will perform the following actions:
- unpack its main body, which resides inside the .data section
- see if Antivirus PRO 2010 is already residing on the machine, by checking the key HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusPro_2010 and/or HKEY_CURRENT_USER\SOFTWARE\AntivirusPro_2010
- make copies of itself inside Documents and Settings\[user-name]\Application Data, as seres.exe and svcst.exe
- add 2 startup registry-keys (inside HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run), mserv and svchost, pointing to seres.exe and svcst.exe
- execute svcst.exe
The new process will perform the following:
- create a new instance of the malware, by running seres.exe
These 2 newly-created processes will make sure that they are running constantly on the attacked computer, therefore, if one of them is terminated, the other process will re-launch it into execution. The infamous little red cross icon will appear in the systray, and fake-alert notification-messages will be displayed from a separate thread running inside the malware: "Your computer is infected!", "Windows has detected spyware infection!", "It is recommended to use special antispyware tools to pervent data loss.Windows will now download and install the most up-to-date antispyware for you.", "Click here to protect your computer from spyware!".
Obviously, the downloaded "antispyware" software is nothing but Antivirus Pro 2010, a fake security application,  which can be downloaded from various sources, inside Documents and Settings\[user-name]\Application Data\lizkavd.exe or inside %windir%\Application Data\lizkavd.exe:
hxxp://[removed]dferbotario.com/X1j0uHc5Htr8Lw0i4Wv6Jz7Ha
hxxp://[removed]erhpabewuit.com/id1Ci0j5t8yv0MsB4D6O7Tn
hxxp://[removed]torswabure.com/byK1aKH0a5afM8om0mwB4/6fa7K
hxxp://[removed]bunerkadosa.com/SYp1Bt0M5h8oL0Ta4One6Qnc7Gs
hxxp://[removed]amerkafdolo.com/id1F0x5UUG8xsY0u4pFq6X7pi
hxxp://[removed]rtugabusrav.com/Y1Zh0s5Ske8p0pi4bAR6OT7O
hxxp://[removed]ertaguboert.com/YLz1T0fC5VaT8fb0X4AH6op7Y
hxxp://[removed]okaveanubares.com/LVN1GL0Pu5RwQ8RK0WeT4j6Ifj7oJX
hxxp://[removed]ropihdertan.com/w1W0sT5wM8V0SUs4tU6AB7zOc
Behind any of these links lie the same executable file (currently detected as Trojan.FakeAV.UO), which will be installed on the affected computer after being downloaded.

Note: [user-name] represents the actual user-name of the logged-on user.

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

Lutas Andrei Vlad, virus researcher