Home / malwarePDF  

Trojan.FakeAlert.ABZ


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.FakeAlert.ABZ is also known as Trojan.Win32.Buzus.ujy, W32/Dloadr.BQY!tr, Win32/TrojanDownloader.FakeAlert.HK, Troj/Agent-HNJ, FakeAlert-AB.

Explanation :

As the name says the malware displays fake alerts and pushes a rogue antivirus software (XP Antivirus) onto the affected computer.

It creates the following files (I'll give a hint how the files are usually named and an example) :

* %Program Files%rhc*
* %Program Files%rhc*MFC71.dll
* %Program Files%rhc*MFC71ENU.DLL
* %Program Files%rhc*Uninstall.exe
* %Program Files%rhc*database.dat
* %Program Files%rhc*license.txt
* %Program Files%rhc*msvcp71.dll
* %Program Files%rhc*msvcr71.dll
* %Program Files%rhc*
hc*.exe
* %Program Files%rhc*
hc*.exe.local
* %system%lp*.scr
* %system%lphc*.exe detected as Trojan.FakeAlert.ADA
* %system%phc*.bmp
* %system%pph*.exe detected as Trojan.FakeRemoval.A
* %system% tkyii.dll detected as Trojan.FakeAlert.ABZ

** Examples : for "rhc*" -> "rhcv2gj0e321" , for "lph*" -> "lphcr2gj0e321" , for "pph*" -> "pphcr2gj0e321" , for "blp*" -> "blphcr2gj0e321" , for "phc*" -> "phcr2gj0e321" etc.

The malware uses deceitful practices in order to trick the user into buying a rogue antivirus (XP Antivirus), by giving false detection on the so called "scan". It also changes the wallpaper with an alarm of infection and sets a screensaver (from SysInternals - bluescreen.scr) which can seem frightening to the user. Ironically the costumer is infected, but not with the fake detection given by the scaner.


It uses these registry values to run itself on startup :
In this key "HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun" it creates the value "lph*" ("lphcpuhj0e535") that points to "%system%lph*.exe" ("%system%lphcpuhj0e535.exe")
"HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun" with the value "SMr*"("SMrhctuhj0e535") which points to "%programfiles%
hc*" ("%programfiles%
hctuhj0e535
hctuhj0e535.exe")

It changes these registry settings, not allowing the user to change the wallpaper or screensaver :
In the "HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem" key, changing the value "NoDispBackgroundPage" to "1".In the same key, this value - "NoDispScrSavPage" to "1".

Last update 21 November 2011

 

TOP

Malware :