Proactive IT Security
 

W32/FakeSpyPro

Threat risk

Threat risk low
Detection files published:
December 21, 2009
Description created:
2010-04-16
Description updated:
2010-04-16
Malware type:
Trojan
Alias:
FakeAlert (McAfee), Win32/FakeSpypro (Microsoft), Troj/FakeAV (Sophos), Win32.FraudPack (Kaspersky)
Spreading mechanism
Other, Webpage
Payload:
Downloads arbitrary files, disturb users.

Summary

W32/FakeSpyPro is a rogue security program that falsely claims that the affected machine is infected with malware and encourages the user to buy a promoted product for cleaning the alleged malware from the computer.

Threat description

W32/FakeSpyPro is a rogue security program that falsely claims that the affected machine is infected with malware and encourages the user to buy a promoted product for cleaning the alleged malware from the computer.

Reports of rogue antivirus programs have been more prevalent as of late. These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software.  Some of these programs may display product names or logos in an apparently unlawful attempt to impersonate legitimate product.

W32/FakeSpyPro may be installed from the program’s web site or by social engineering from third party web sites.
 
When executed, W32/FakeSpyPro copies itself to %windir%\sysguard.exe and sets a registry entry to run itself at each system start:
 
Adds value: "system tool”
With data: "%windir%\sysguard.exe",
To sub key:  HKCU\Software\Microsoft\Windows\CurrentVersion\Run
It drops a DLL component to "\iehelper.dll" and sets the following registry values to load the dropped DLL at Windows start and to register the DLL component as a BHO:
Adds value: "(default)"
With data: “bho”
To subkey: HKLM\SOFTWARE\Classes\CLSID\{C9C42510-9B21-41c1-9DCD-
8382A2D07C61}
 
Adds value: "(default)"
With data: “\iehelper.dll”
To subkey: HKLM\SOFTWARE\Classes\CLSID\{C9C42510-9B21-41C1-9DCD-
8382A2D07C61}\InProcServer32
 
Adds value: "(default)"
With data:  "0”,
Tosubkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9C42510-9B21-41C1-9DCD-8382A2D07C61}
 
It also creates the following registry subkey:
HKEY_CURRENT_USER\Software\AvScan

Displays misleading messages and alerts
When the trojan’s executable—sysguard.exe—runs, it displays the following interface:

Removal

General information about removal of malicious software:

Norman’s antivirus products are in general able to remove all malicious software that is detected.
Some malware variants, however, use techniques that the general product does not remove sufficiently. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below if your Norman antivirus is unable to clean the infection.

New Norman Malware Cleaner available in Net:

 

General information about removal of malicious software

Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.

Usage Title Comment
  Stopping network share infectors  
  Cleaning of back-up folders on Windows Me and XP  
Print page