Home / malware Trojan.FakeAV.XP
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.FakeAV.XP is also known as Mal/EncPk-LH.
Explanation :
The malware is a fake antivirus product which relies on pop-ups with false detection on the system, forcing the user to buy the annoying software to get rid of infections that aren't there.
When installed the picture shown above appears, immitating the operating system's programs. It makes a copy of itself in the %Temp% folder ( ex : C:Documents and Settings[UserName]Local SettingsTemp ) and creates a folder %CommonAppData%[RandomString] in which it stores the rogue antivirus.
The malware modifies the hosts file (%System%driversetchosts) which redirects each entry of the site mentioned bellow to a known search engine webpage. The modified entries are :
74.125.45.100 4-open-davinci.com
74.125.45.100 securitysoftwarepayments.com
74.125.45.100 privatesecuredpayments.com
74.125.45.100 secure.privatesecuredpayments.com
74.125.45.100 getantivirusplusnow.com
74.125.45.100 secure-plus-payments.com
74.125.45.100 www.getantivirusplusnow.com
74.125.45.100 www.secure-plus-payments.com
74.125.45.100 www.getavplusnow.com
74.125.45.100 safebrowsing-cache.google.com
74.125.45.100 urs.microsoft.com
74.125.45.100 www.securesoftwarebill.com
74.125.45.100 secure.paysecuresystem.com
74.125.45.100 paysoftbillsolution.com
74.125.45.100 protected.maxisoftwaremart.com
It creates a startup registry value "Enterprise Suite" in the key HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun in order to run every time the operating system starts.Last update 21 November 2011
