Internet threat level: 1
Home→Descriptions→Trojan.Win32.FakeAV.doq
Trojan.Win32.FakeAV.doq
| Detected | Aug 25 2010 12:13 GMT |
| Released | Aug 25 2010 23:20 GMT |
| Published | Mar 23 2011 12:06 GMT |
Payload
Removal instructions
Technical Details
This Trojan simulates an antivirus program to get compensated by the user for the detection and deletion of false threats. It is a Windows application (PE EXE file). It is 1 039 872 bytes in size. It is written in C++.
Installation
Once launched, the Trojan moves its original file and saves it as
%USERPROFILE%\Local Settings\Application Data\<rnd>.exewhere <rnd> is a random decimal number.
Every time when launched, the Trojan creates the following system registry key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce] "<name of original Trojan file>" = "%USERPROFILE%\Local Settings\Application Data\<rnd>.exe"This ensures that the Trojan will launch automatically each time the system is restarted.
The Trojan also creates the following shortcut:
%USERPROFILE%\Start Menu\Programs\Security Tool.lnkThe shortcut points to the object:
%USERPROFILE%\Local Settings\Application Data\<rnd>.exe
Payload
Once launched, the Trojan simulates a computer file system scan and displays information about false threats:
When trying to remove the threats displayed by the Trojan, the user will be asked to activate the program:
The sites will then be displayed where the user is asked to input the credit card information to purchase a license:
defe***tgate.com secu***soft.comDuring its operations, the Trojan prevents new processes from being launched. When the Trojan discovers a launched process, it terminates it and displays the following window:
212.***.107.202
Removal instructions
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
- Reboot the computer in Safe Mode (at the start of the boot sequence, press and hold F8, then choose Safe Mode from the Windows boot menu).
- Delete the following files:
%USERPROFILE%\Local Settings\Application Data\
.exe %USERPROFILE%\Start Menu\Programs\Security Tool.lnk - Delete the following system registry key (see What is a system registry and how do I use it?):
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce] "
" = "%USERPROFILE%\Local Settings\Application Data\ .exe" - Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).
MD5: D7F29FBD718066B0112AF79FDC656D67 SHA1: BD796ED40EC3AAB01A36E97D46F47377A0028917
This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.
This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.
Trojan.
- Mal/Generic-L (Sophos)
- Heuristics.
Broken. Executable (ClamAV) - W32/MalwareF.
WJGT (FPROT) - W32/MalwareF.
VQTR (FPROT) - Trojan.
Packed. 21096 (DrWeb) - Win32/Kryptik.
GMD. Gen trojan (Nod32) - Gen:
Variant. Kazy. 113 (BitDef7) - processing error (VirusBuster)
- Win32:
FakeAlert-PD [Trj] (AVAST) - Trojan.
Win32. FakeAV (Ikarus) - FakeAlert.
TZ (AVG) - Trojan.
Gen (NAV) - NseCheckFile2() returned 0x00010018 (Norman)
- Mal_FakeAL-8 (TrendMicro)
- Trojan.
WinWebSec. Gen!Pac. 18 (VirusBusterBeta)
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.