Trojan.FakeAlert.BKD

( Trojan:Win32/Winwebsec, Win32/Adware.SystemSecurity, Win32:FakeAlert-CR )

SYMPTOMS:

The presence of
    %c_appdata%\[random number]\[random number].exe
    %c_appdata%\[random number]\pc[random number]ins
    HKLM\SOFTWARE\[random number]\pc[random number]ins
and shortcuts to "Total Security 2009" on the desktop and in the Startup menu.
The wallpaper changes and different messages that alert the user of infections appear on the running PC.

TECHNICAL DESCRIPTION:

Once executed, it copies itself to
    %c_appdata%\[random number]\[random number].exe
and deletes the original file. It also creates a file in the same directory with the name
    pc[random number]ins
and a registry key that will allow the application to run on system startup in
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[random number]
It creates a registry key in
    HKLM\SOFTWARE\[random number]\pc[random number]ins
and sets its value to 1.



This rogue antivirus claims to scan your computer, but it only displays false infections in order to trick the user into buying the full version of the software. As a new addition to the increasing arsenal of ways to trick the user, this rogue will close any new application started except for Internet Explorer so the user might buy the product.



This rogue antivirus is detected by our engines as Trojan.FakeAlert.BKD but it is possible that we detect it with different names since it is packed with different packers.

%c_appdata% translates to C:\Documents and Settings\All Users\Application Data on a PC running Windows XP

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

Stefan Catalin Hanu, virus researcher