Home / malwarePDF  

Trojan:Win32/FakeSecSen


First posted on 11 February 2009.
Source: SecurityHome

Aliases :

Trojan:Win32/FakeSecSen is also known as Also Known As:Micro AV (other), MS Antivirus (other), Spyware Preventer (other), Vista Antivirus 2008 (other), Advanced Antivirus (other), System Antivirus (other), Ultimate Antivirus 2008 (other), Windows Antivirus 2008 (other), XPert Antivirus (other), Power Antivirus (other), Ultra AV (other), AntiVirus Sentry (other).

Explanation :

Trojan:Win32/FakeSecSen is a family of programs that claim to scan for malware and display fake warnings of “malicious programs and viruses”. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats. Win32/FakeSecSen appears to be based on Program:Win32/SpySheriff.

Special Note:

Reports of rogue Antivirus programs have been more prevalent as of late. These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software. Some of these programs, such as Trojan:Win32/Antivirusxp and Program:Win32/FakeRednefed may display product names or logos in an apparently unlawful attempt to impersonate Microsoft products. These products may represent themselves as “Antivirus XP”, “AntivirusXP 2008”, “WinDefender 2008”, “XP Antivirus”, or similar. Use Microsoft Windows Defender, the Windows Live safety scanner (http://onecare.live.com/site/en-us/default.htm), or another up-to-date scanning and removal tool to detect and remove these threats and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.

Symptoms
Symptoms vary among different distributions of Program:Win32/FakeSecSen, however, the presence of the following system changes (or similar) may indicate the presence of this program:

  • Presence of the following files, or similar (for example):
    %program_files%vavvav.cpl
    %program_files%vavvav.exe
    %program_files%vavvav.ooo
    %program_files%vavvav0.dat
    %program_files%vavvav1.dat
    c:documents and settingsadministratordesktopvista antivirus 2008.lnk
    %program_files%sppspp.exe
    %program_files%sppspp.ooo
    %program_files%sppspp1.dat
    %program_files%sppspp1.dat
    c:documents and settingsadministratordesktopspyware preventer.lnk
    %program_files%ms antivirusmsa0.dat
    %program_files%ms antivirusmsa1.dat
    %program_files%ms antivirusmsa.ooo
    %program_files%ms antivirusmsa.exe
    %program_files%ms antivirusmsa.cpl
    %program_files%ms antivirusms antivirus.lnk
    %program_files%microantivirusmicroav0.dat
    %program_files%microantivirusmicroav1.dat
    %program_files%microantivirusmicroav.ooo
    %program_files%microantivirusmicroav.exe
    %program_files%microantivirusmicroav.cpl
    c:documents and settingsadministratordesktopmicroantivirus.lnk
  • Presence of the following registry modifications or similar (for example):
    Under key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
    • Sets value: "Antivirus"
    With data: "%program files%VAVvav.exe"
    Under key: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunSets value: "Antivirus"
    With data: "%program files%VAVvav.exe"
    Under key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunSets value: "Antivirus"
    With data: "%program files%SPPSPP.exe"
    Under key: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunSets value: "Antivirus"
    With data: "%program files%SPPSPP.exe" Under key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunSets value: "ANTIVIRUS"
    With data: "%program files%MS AntivirusMSA.exe"
    Under key: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunSets value: "ANTIVIRUS"
    With data: "%program files%MS AntivirusMSA.exe" Under key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunSets value: "ANTIVIRUS"
    With data: " %program files%MicroAntivirusmicroAV.exe"
    Under key: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunSets value: "ANTIVIRUS"
    With data: " %program files%MicroAntivirusmicroAV.exe" Under key: HKLMSOFTWAREClasses.key
    Sets value: "(default)"
    With data: "0"
  • Display of the following images/dialogs, or similar (for example):







    • Trojan:Win32/FakeSecSen is a family of programs that claim to scan for malware and display fake warnings of “malicious programs and viruses”. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats. Win32/FakeSecSen appears to be based on Program:Win32/SpySheriff.
    Like Win32/SpySheriff, Win32/FakeSecSen has been distributed with several different names. The user interface varies to reflect each variant’s individual branding.

    Installation
    Win32/FakeSecSen usually installs six files. For example, when distributed as 'Micro AV', FakeSecSen installs the following files: microav.exe – The main executable; shows the fake “scanner” interface, an associated icon on the system tray, and other fake infection warnings. Examples of these can be seen below:



    microav.cpl – A control panel applet; adds an entry to the control panel called, for example, “MS AV”, with the icon of the Windows Security Center. When run, it simply launches the main executable (microav.exe in this example).
    microav0.dat and microav1.dat – These files contain the malware information to report. There is no actual scanning done, all of the entries in these DAT files are reported.microav.ooo – a harmless file usually only a few bytes longmicroantivirus.lnk – a desktop shortcut pointing to the main executable.

    All of the files are installed into a directory under the user’s program files directory (e.g. %program files%MicroAntivirus), except for the shortcut which is placed on the user’s desktop. The .cpl file (in this example microav.cpl) is also copied to the <system folder>. Win32/FakeSecSen adds a registry entry to launch its main executable at system start, for example:
    Under key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunSets value: "ANTIVIRUS"
    With data: " %program files%MicroAntivirusmicroAV.exe"

    Under key: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunSets value: "ANTIVIRUS"
    With data: " %program files%MicroAntivirusmicroAV.exe"
    It also sets the following registry entry:Under key: HKLMSOFTWAREClasses.key
    Sets value: "(default)"
    With data: "0" ExamplesPlease see below for additional examples of filenames, registry modifications, interfaces, fake alerts, false scanning results, icons and pop-ups used by this group of rogue antivirus programs. Note that while these programs may appear to be different, the differences are only superficial - these programs are essentially identical. MS AntivirusThe following filenames may be used by Win32/FakeSecSen when distributed as 'MS Antivirus':%program_files%ms antivirusmsa0.dat%program_files%ms antivirusmsa1.dat%program_files%ms antivirusmsa.ooo%program_files%ms antivirusmsa.exe%program_files%ms antivirusmsa.cpl%program_files%ms antivirusms antivirus.lnkThe following registry modifications may be made by Win32/FakeSecSen when distributed as 'MS Antivirus':Under key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunSets value: "ANTIVIRUS"
    With data: "%program files%MS AntivirusMSA.exe"

    Under key: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunSets value: "ANTIVIRUS"
    With data: "%program files%MS AntivirusMSA.exe" Examples of interface, fake alerts, false scanning results, icons and pop-ups used by Win32/FakeSecSen when distributed as 'MS Antivirus':




    Spyware PreventerThe following filenames may be used by Win32/FakeSecSen when distributed as 'Spyware Preventer':
  • %program_files%sppspp.exe
  • %program_files%sppspp.ooo
  • %program_files%sppspp1.dat
  • %program_files%sppspp1.dat
  • c:documents and settingsadministratordesktopspyware preventer.lnk
    • The following registry modifications may be made by Win32/FakeSecSen when distributed as 'Spyware Preventer':Under key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunSets value: "Antivirus"
    With data: "%program files%SPPSPP.exe"

    Under key: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunSets value: "Antivirus"
    With data: "%program files%SPPSPP.exe" Examples of interface, fake alerts, false scanning results, icons and pop-ups used by Win32/FakeSecSen when distributed as 'Spyware Preventer':

    Vista Antivirus 2008The following filenames may be used by Win32/FakeSecSen when distributed as 'Vista Antivirus 2008':
  • %program_files%vavvav.cpl
  • %program_files%vavvav.exe
  • %program_files%vavvav.ooo
  • %program_files%vavvav0.dat
  • %program_files%vavvav1.dat
  • c:documents and settingsadministratordesktopvista antivirus 2008.lnk
    • The following registry modifications may be made by Win32/FakeSecSen when distributed as 'Vista Antivirus 2008':Under key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunSets value: "Antivirus"
    With data: "%program files%VAVvav.exe"

    Under key: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunSets value: "Antivirus"
    With data: "%program files%VAVvav.exe" Examples of interface, fake alerts, false scanning results, icons and pop-ups used by Win32/FakeSecSen when distributed as 'Vista Antivirus 2008':




    Advanced AntivirusThe following filenames may be used by Win32/FakeSecSen when distributed as 'Advanced Antivirus':
  • %program_files%aavaav1.dat
  • %program_files%aavaav.cpl
  • %program_files%aavaav.exe
  • %program_files%aavaav.ooo
  • c:documents and settingsadministratordesktopadvanced antivirus.lnk
    • The following registry modifications may be made by Win32/FakeSecSen when distributed as 'Advanced Antivirus':Under key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunSets value: "Antivirus"
    With data: "%program files%aavaav.exe"

    Under key: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunSets value: "Antivirus"
    With data: "%program files%aavaav.exe" Examples of interface, fake alerts, false scanning results, icons and pop-ups used by Win32/FakeSecSen when distributed as 'Advanced Antivirus':





    System AntivirusThe following filenames may be used by Win32/FakeSecSen when distributed as 'System Antivirus':
  • %program_files%savsav.ooo
  • %program_files%savsav0.dat
  • %program_files%savsav1.dat
  • %program_files%savsav.cpl
  • %program_files%savsav.exe
  • c:documents and settingsadministratordesktopsystem antivirus 2008.lnk
    • The following registry modifications may be made by Win32/FakeSecSen when distributed as 'System Antivirus':Under key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunSets value: "Antivirus"
    With data: %program files%savsav.exe"

    Under key: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunSets value: "Antivirus"
    With data: "%program files%savsav.exe" Examples of interface, fake alerts, false scanning results, icons and pop-ups used by Win32/FakeSecSen when distributed as 'System Antivirus':





    Ultimate Antivirus 2008The following filenames may be used by Win32/FakeSecSen when distributed as 'Ultimate Antivirus 2008':
  • %program_files%uavuav.ooo
  • %program_files%uavuav1.dat
  • %program_files%uavuav.cpl
  • %program_files%uavuav.exe
  • c:documents and settingsadministratordesktopultimate antivirus 2008.lnk
    • The following registry modifications may be made by Win32/FakeSecSen when distributed as 'Ultimate Antivirus 2008':Under key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunSets value: "ANTIVIRUS"
    With data: "%program files%UAVuav.exe"

    Under key: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunSets value: "ANTIVIRUS"
    With data: "%program files%UAVuav.exe" Examples of interface, fake alerts, false scanning results, icons and pop-ups used by Win32/FakeSecSen when distributed as 'Ultimate Antivirus 2008':






    Windows Antivirus 2008The following filenames may be used by Win32/FakeSecSen when distributed as 'Windows Antivirus 2008':
  • %program_files%wavwav.ooo
  • %program_files%wavwav1.dat
  • %program_files%wavwav.cpl
  • %program_files%wavwav.exe
  • c:documents and settingsadministratordesktopwindows antivirus 2008.lnk
    • The following registry modifications may be made by Win32/FakeSecSen when distributed as 'Windows Antivirus 2008':Under key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunSets value: "ANTIVIRUS"
    With data: "%program files%WAVwav.exe"

    Under key: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunSets value: "ANTIVIRUS"
    With data: "%program files%WAVwav.exe" Examples of interface, fake alerts, false scanning results, icons and pop-ups used by Win32/FakeSecSen when distributed as 'Windows Antivirus 2008':




    XPert AntivirusThe following filenames may be used by Win32/FakeSecSen when distributed as 'XPert Antivirus':
  • %program_files%xpaxpa.cpl
  • %program_files%xpaxpa.exe
  • %program_files%xpaxpa.ooo
  • %program_files%xpaxpa0.dat
  • %program_files%xpaxpa1.dat
  • c:documents and settingsadministratordesktopxpert antivirus enterprise.lnk
    • The following registry modifications may be made by Win32/FakeSecSen when distributed as 'XPert Antivirus':Under key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunSets value: "Antivirus"
    With data: "%program files%XPAXPA.exe"

    Under key: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunSets value: "Antivirus"
    With data: "%program files%XPAXPA.exe" Examples of interface, fake alerts, false scanning results, icons and pop-ups used by Win32/FakeSecSen when distributed as 'XPert Antivirus':


    Power AntivirusThe following filenames may be used by Win32/FakeSecSen when distributed as 'Power Antivirus':
  • %program_files%PWAPWA0.dat
  • %program_files%PWAPWA1.dat
  • %program_files%PWAPWA.cpl
  • %program_files%PWAPWA.exe
  • %program_files%PWAPWA.ooo
  • c:documents and settingsadministratordesktoppower antivirus.lnk
    • or
  • %program_files%pwxpwx.cpl
  • %program_files%pwxpwx.exe
  • %program_files%pwxpwx.ooo
  • %program_files%pwxpwx1.dat
  • c:documents and settingsadministratordesktoppower antivirus.lnk
    • The following registry modifications may be made by Win32/FakeSecSen when distributed as 'Power Antivirus':Under key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunSets value: "Antivirus"
    With data: "%program_files%PWAPWA.exe"
    Under key: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunSets value: "Antivirus"
    With data: "%program_files%PWAPWA.exe" OrUnder key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunSets value: "Antivirus"
    With data: "%program_files%PWXPWX.exe"
    Under key: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunSets value: "Antivirus"
    With data: "%program_files%PWXPWX.exe" Examples of interface, fake alerts, false scanning results, icons and pop-ups used by Win32/FakeSecSen when distributed as 'Power Antivirus': Ultra Antivirus 2009The following filenames may be used by Win32/FakeSecSen when distributed as 'Ultra Antivirus 2009':
  • %program_files%UltraAVUltraAV1.dat
  • %program_files%UltraAVUltraAV.cpl
  • %program_files%UltraAVUltraAV.exe
  • %program_files%UltraAVUltraAV.ooo
  • %program_files%UltraAVUninstall.exe
  • %program_files%UltraAVUltraAV0.dat
  • c:documents and settingsadministratordesktopUltra Antivirus 2009.lnk
    • The following registry modifications may be made by Win32/FakeSecSen when distributed as 'Ultra Antivirus 2009':Under key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunSets value: "ANTIVIRUS"
    With data: "%Program Files%UltraAVUltraAV.exe"

    Under key: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunSets value: "ANTIVIRUS"
    With data: "%Program Files%UltraAVUltraAV.exe" Examples of interface, fake alerts, false scanning results, icons and pop-ups used by Win32/FakeSecSen when distributed as 'Ultra Antivirus 2009':


    AntiVirus SentryThe following filenames may be used by Win32/FakeSecSen when distributed as 'Antivirus Sentry':
  • %program_files%AVSavs1.dat
  • %program_files%AVSAVS.exe
  • %program_files%AVSAVS.ooo
  • c:documents and settingsadministratordesktopAntiVirus Sentry.lnk
    • The following registry modifications may be made by Win32/FakeSecSen when distributed as 'Antivirus Sentry':Under key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunSets value: "ANTIVIRUS"
    With data: "%Program Files%AVSAVS.exe"

    Under key: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunSets value: "ANTIVIRUS"
    With data: "%Program Files%AVSAVS.exe" Examples of interface, fake alerts, false scanning results, icons and pop-ups used by Win32/FakeSecSen when distributed as 'Antivirus Sentry':

    Analysis by Hamish O'Dea

    Last update 11 February 2009

     

    TOP

    Malware :