English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan.Win32.FakeAV.eya

Detected Sep 07 2010 17:09 GMT
Released Sep 07 2010 23:30 GMT
Published Oct 26 2010 12:18 GMT

Technical Details
Payload
Removal instructions

Technical Details

This Trojan simulates an anti-virus program in order to obtain remuneration from the user for the detection and deletion of false threats. It is a Windows application (PE EXE file). It is 1 134 592 bytes in size. It is written in C++.

Installation

Once launched, the Trojan moves its body into the following file:

%USERPROFILE%\Local Settings\Application Data\<rnd>.exe
where <rnd> is a random six-digit decimal number.

To ensure that the copy created is launched automatically each time the system is rebooted, the following system registry keys are created:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"<rnd>" = ""%USERPROFILE%\Local Settings\Application Data\<rnd>.exe" 0 47"

[HKU\S-1-5-21-606747145-1060284298-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"<rnd>" = ""%USERPROFILE%\Local Settings\Application Data\
<rnd>.exe" 0 47"
The Trojan then displays the following message:

The Trojan then launches a previously created copy for execution and ceases running.


Payload

Once launched, the Trojan performs the following actions:

  • It modifies the following system registry key values:
    [HKLM\System\CurrentControlSet\Hardware Profiles\0001
    \Software\Microsoft\windows\CurrentVersion\Internet Settings]
    "ProxyEnable" = "0"
    
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    "MigrateProxy" = "1"
    "ProxyEnable" = "0"
    
  • It deletes the following registry key:
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    "ProxyServer"
    "ProxyOverride"
    "AutoConfigURL"
    
    This modifies Internet Explorer's proxy server settings.
  • The Trojan simulates a computer file system scan and displays information about false threats. It also displays a message stating that program updates are available:

  • When a false scan has been completed, a click on the "Remove" button opens the program activation window:

  • When the user clicks on "Activate Security Tool", the license purchase window opens:

    This new window opens over the top of other windows and takes up the entire working area of the screen. The Trojan intercepts the input focus and places it in this window.
  • When the user attempts to launch the Task Manager, Registry Editor or the system command interpreter, those system utilities' processes cease running and the Trojan displays the following messages:

  • As part of its operations, the Trojan displays the following messages in the notification area:

  • This Trojan can update itself by connecting to the server:
    77.***.124
    


    Removal instructions

    If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

    1. Reboot the computer in Safe Mode (at the start of the boot sequence, press and hold F8, then choose Safe Mode from the Windows boot menu).
    2. Delete the following file:
      %USERPROFILE%\Local Settings\Application Data\<rnd>.exe 
    3. Delete the following system registry keys (see What is a system registry and how do I use it?):
      [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
      "<rnd>" = ""%USERPROFILE%\Local Settings\Application Data\<rnd>.exe" 0 47"
      
      [HKU\S-1-5-21-606747145-1060284298-839522115-1003\Software\Microsoft\Windows\CurrentVersion\RunOnce]
      "<rnd>" = ""%USERPROFILE%\Local Settings\Application Data\<rnd>.exe" 0 47"
      
    4. Restore the original system registry key values (see What is a system registry and how do I use it?):
      [HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
      "ProxyEnable"
      
      [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
      "MigrateProxy"
      "ProxyEnable"
      
      [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
      "ProxyServer"
      "ProxyOverride"
      "AutoConfigURL"
      
    5. Empty the Temporary Internet Files directory, which may contain infected files (see How to delete infected files from Temporary Internet Files folder?).
    6. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).


    MD5: 1557EF468DBDA9E0A917571CFCDFD2CF
    SHA1: FC1598BBE28EA47C1B361EAD8AF3CCD395298866


Bookmark and Share
Share
Trojan

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.


Other versions