My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.FakeAV.XP

MEDIUM
HIGH
aprox 200kb
(Mal/EncPk-LH)

Symptoms

The user receives messages of false infection on his computer in order to make him activate (buy) the fake antivirus product. The rogue antivirus resembles the program suite from the operating system and on the installation of the malware the user can notice the following image :

 

Also the malware creates the following file %CommonAppData%\[RandomString]\[RandomString].exe. Another noticeable sign of infection is the folder %AppData%\Enterprise Suite.

 

* A typical path for %CommonAppData% is C:\Documents and Settings\All Users\Application Data.

* A typical path for %AppData% is C:\Documents and Settings\[UserName]\Application Data.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Daniel Chipiristeanu, virus researcher

Technical Description:

The malware is a fake antivirus product which relies on pop-ups with false detection on the system, forcing the user to buy the annoying software to get rid of infections that aren't there.

When installed the picture shown above appears, immitating the operating system's programs. It makes a copy of itself in the %Temp% folder ( ex : C:\Documents and Settings\[UserName]\Local Settings\Temp ) and creates a folder %CommonAppData%\[RandomString]  in which it stores the rogue antivirus.

 

 

The malware modifies the hosts file (%System%\drivers\etc\hosts) which redirects each entry of the site mentioned bellow to a known search engine webpage. The modified entries are :

74.125.45.100 4-open-davinci.com
74.125.45.100 securitysoftwarepayments.com
74.125.45.100 privatesecuredpayments.com
74.125.45.100 secure.privatesecuredpayments.com
74.125.45.100 getantivirusplusnow.com
74.125.45.100 secure-plus-payments.com
74.125.45.100 www.getantivirusplusnow.com
74.125.45.100 www.secure-plus-payments.com
74.125.45.100 www.getavplusnow.com
74.125.45.100 safebrowsing-cache.google.com
74.125.45.100 urs.microsoft.com
74.125.45.100 www.securesoftwarebill.com
74.125.45.100 secure.paysecuresystem.com
74.125.45.100 paysoftbillsolution.com
74.125.45.100 protected.maxisoftwaremart.com

It creates a startup registry value "Enterprise Suite" in the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run in order to run every time the operating system starts.