Home / malware Trojan.Fakealert.CAW
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Fakealert.CAW is also known as Trojan:Win32/Winwebsec, SPR/Fake.stl.1126, Packed.Win32.Krap.gy.
Explanation :
The malware perform the following actions:
When first ran, the malware creates a directory in “%systemdrive%Documents and SettingsAll UsersApplication Data” with an 8-digit random name, where it makes a copy of itself under the same random name, (for example “C:Documents and SettingsAll UsersApplication Data6713412267134122.exe”) and a batch file which runs the new created copy with “install” parameter and deletes the original file. After this, the batch file self-deletes.
Now the malware popup an alert telling that you intalled “Security Tool”, creates shortcuts pointing to it on desktop, start-menu and tray icon, puts itself at startup by creating a new entry in the registry “HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun” which points at it.
After this the malware tries to trick the user that his computer is infected with different malware, and he needs to register and buy it for the cleanup. To achieve this, it will display different messages telling that it found infected files on the computer.
After a restart it hides desktop items, tries to close almost all application which the user tries to open. If the user opens some internet browsers will show firewall alert. After a few time it will try to get more seriously about this, intercepting keyboard and mouse events and displaying a screensaver with a fake “Blue-Screen” while it tries to shutdown the computer, fooling the victim that his machine is seriously infected.
In all this time it tries to send information about the infected machine to a remote server.Last update 21 November 2011
