Trojan.Win32.FakeAV.doq

From Total Malware Info

Jump to: navigation, search
The description for Trojan.Win32.FakeAV.doq was created during beta-test of «Malware description on demand» service. Learn more about at: www.dnt-lab.com/en/services.
Trojan.Win32.FakeAV.doq

Last edited:

27.3.2011

It is a trojan that imitates the work of anti-virus program for the purpose of obtaining the user fee for the detection and removal of non-existent threats. It is a Windows application (PE-EXE file). Its size is 1,039,872 bytes. It is written in C++.

MD5: D7F29FBD718066B0112AF79FDC656D67

SHA1: BD796ED40EC3AAB01A36E97D46F47377A0028917

Installation

Once launched, the trojan moves its original file and saves it as 

%USERPROFILE%\Local Settings\Application Data\<rnd>.exe

here <rnd> - a random decimal number.

After every launch the trojan creates the following registry key: 

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"<the original trojan file's name>" = "%USERPROFILE%\Local Settings\Application Data\<rnd>.exe"

It allows the trojan to automatically start its executable every time you start the system.

In addition, the trojan creates the shortcut: 

%USERPROFILE%\Start Menu\Programs\Security Tool.lnk

It refers to the item: 

%USERPROFILE%\Local Settings\Application Data\<rnd>.exe

Payload

Once launched, the trojan simulates the process of scanning victim's computer file system, thus displaying the information about the presence of non-existent threats:

FakeAV.doq 1.png
FakeAV.doq 2.png
FakeAV.doq 3.png

When you try to remove the displayed threats, the trojan will offer you to pass the activation:

FakeAV.doq 4.png

Then the sites containing webforms for entering user's credit card data will be displayed: 

defen*****ymentgate.com
secu*****soft.com

The trojan blocks the launch of new processes in system. When the new process is found, it will be terminated, and the following window will be displayed:

FakeAV.doq 5.png

For example:

FakeAV.doq 6.png

The trojan displays the following messages in the taskbar notification area:

FakeAV.doq 7.png
FakeAV.doq 8.png
FakeAV.doq 9.png

The trojan also may display the message about the availability of database updates:

FakeAV.doq 10.png

In addition, the trojan connects to the following address: 

212.150.***.202

Removal Instructions

If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:

1. Restart the computer in "Safe Mode" (at the beginning of loading press and hold «F8», then select «Safe Mode» at the Windows boot menu).

2. Delete the following files: 

%USERPROFILE%\Local Settings\Application Data\<rnd>.exe
%USERPROFILE%\Start Menu\Programs\Security Tool.lnk

3. Delete the system registry key: 

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"<the original trojan file's name>" = "%USERPROFILE%\Local Settings\Application Data\<rnd>.exe"

4. Perform a full system scan with an antivirus with updated databases.

Can't find a description for a specific malware?
You can order a description for any computer malware, virus, trojan or worm.
Retrieved from "http://www.totalmalwareinfo.com/eng/Trojan.Win32.FakeAV.doq"
Language
Video Tutorials
Computer and Internet Security Video Tutorials
© 2011 "Design and Test Lab", LLC. All rights reserved.