Proactive IT Security
 

W32/FakeAV

Threat risk

Threat risk low
Detection files published:
December 03, 2008
Description created:
2010-04-16
Description updated:
2010-04-16
Malware type:
Trojan
Alias:
Win32/Meredrop (Microsoft), FakeAlert (McAfee), Trojan.Fakeavalert (Symantec), Troj/FakeAV (Sophos), FraudTool.Win32.VirusRemover (Kaspersky Lab)
Spreading mechanism
Other, Webpage
Payload:
Disturb users and try to sell rouge software.

Summary

W32/FakeAV is a trojan that disguises itself as a legitimate antivirus program and displays various fake pop-up messages warning of infection. It may also download additional malware to the compromised system.

Spreading description

W32/FakeAV is a trojan that disguises itself as a legitimate antivirus program and displays various fake pop-up messages warning of infection. It may also download additional malware to the compromised system.

Installation

When file is executed, the trojan does the following system changes:

[Changes to file system]
 [Files created]
%Profile%\Start Menu\ Security Tool
%Profile%\Start Menu\ Security Tool \ Security Tool
%Profile%\Application Data\\.exe

[Changes to registry]

Values added-:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "46699135"
Type: REG_SZ
Data: C:\DOCUME~1\ALLUSE~1\APPLIC~1\46699135\46699135.exe

Values deleted-:
HKEY_CURRENT_USER\Control Panel\Desktop "Wallpaper"
Type: REG_SZ
Data: C:\WINDOWS\web\wallpaper\Bliss.bmp

[Network]
http://[Removed].com/buy2.php?affid=00000
http:// [Removed].com/in.php?affid=00000&url=5&win=Window

Removal

General information about removal of malicious software:

Norman’s antivirus products are in general able to remove all malicious software that is detected.
Some malware variants, however, use techniques that the general product does not remove sufficiently. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below if your Norman antivirus is unable to clean the infection.

New Norman Malware Cleaner available in Net:

General information about removal of malicious software

Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.

Usage Title Comment
  Stopping network share infectors  
  Cleaning of back-up folders on Windows Me and XP  
Print page