Home / malware Trojan:Win32/Cedel
First posted on 13 August 2010.
Source: SecurityHomeAliases :
There are no other names known for Trojan:Win32/Cedel.
Explanation :
Trojan:Win32/Cedel is a trojan rogue antivirus program that imitates the Microsoft Malicious Software Removal Tool (MSRT). It displays fake alerts that the computer is infected and then redirects the user to a website to purchase the fake program. Special Note:
Reports of Rogue Antivirus programs have been more prevalent as of late. These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software. Some of these programs may display product names or logos in an apparently unlawful attempt to impersonate Microsoft products. Use the Windows Live safety scanner, Microsoft Security Essentials, or another up-to-date scanning and removal tool to detect and remove these threats and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.
Top
Trojan:Win32/Cedel is a trojan rogue antivirus program that imitates the Microsoft Malicious Software Removal Tool (MSRT). It displays fake alerts that the computer is infected and then redirects the user to a website to purchase the fake program. Installation Trojan:Win32/Cedel may arrive in the computer as the following file:%UserProfile%\mrtw.exe Its icon may be similar to the following: It creates the following mutex:Secure Billing Page Trojan:Win32/Cedel creates the following registry modification to enable it to start every time Windows starts: Adds value: "mrtw" With data: "%UserProfile%\mrtw.exe" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Payload Displays fake alerts When executed, Trojan:Win32/Cedel displays the following interface, which is similar to the user interface of the legitimate Windows Updates service: Its user interface contains the title "Microsoft Windows Malicious Software Removal Tool" in an attempt to imitate the legitimate MSRT tool from Microsoft. Below are some examples of the interfaces the malware may display: Below are some examples of the messages the malware may display, in an attempt to mislead the affected user: The malware also attempts to masquerade as Windows Firewall, however this too is fake: If the user clicks on "Enable Protection", they are led to a certain webpage to purchase a program that supposedly removes these fake malware. Modifies system security Trojan:Win32/Cedel disables the Windows Security Center alerts by modifying the following registry entries: Adds value: "AntiVirusDisableNotify" With data: "dword:00000001" Adds value: "FirewallDisableNotify" With data: "dword:00000001" Adds value: "UpdatesDisableNotify" With data: "dword:00000001" In subkey: HKLM\SOFTWARE\Microsoft\Security Center It also informs the computer that .EXE files are of a "low-risk" type: Adds value: "LowRiskFileTypes" With data: "".exe;"" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
Analysis by Francis Allan Tan SengLast update 13 August 2010
