fakeav.xp is a fake antivirus product which relies on pop-ups with false detection on the system, forcing the user to buy the annoying software to get rid of infections that aren't there.
The user receives messages of false infection on his computer in order to make him activate (buy) the fake antivirus product. The rogue antivirus resembles the program suite from the operating system and on the installation of the malware the user can notice.
The user receives messages of false infection on his computer in order to make him activate (buy) the fake antivirus product. The rogue antivirus resembles the program suite from the operating system and on the installation of the malware the user can notice.
EFFECTS OF FAKEAV TROJAN
The malware creates the following file %CommonAppData%\[RandomString]\[RandomString].exe. Another noticeable sign of infection is the folder %AppData%\Enterprise Suite.
A typical path for %CommonAppData% is C:\Documents and Settings\All Users\Application Data.
A typical path for %AppData% is C:\Documents and Settings\[UserName]\Application Data.
When installed the picture shown above appears, immitating the operating system's programs. It makes a copy of itself in the %Temp% folder ( ex : C:\Documents and Settings\[UserName]\Local Settings\Temp ) and creates a folder %CommonAppData%\[RandomString] in which it stores the rogue antivirus.
The malware creates the following file %CommonAppData%\[RandomString]\[RandomString].exe. Another noticeable sign of infection is the folder %AppData%\Enterprise Suite.
A typical path for %CommonAppData% is C:\Documents and Settings\All Users\Application Data.
A typical path for %AppData% is C:\Documents and Settings\[UserName]\Application Data.
When installed the picture shown above appears, immitating the operating system's programs. It makes a copy of itself in the %Temp% folder ( ex : C:\Documents and Settings\[UserName]\Local Settings\Temp ) and creates a folder %CommonAppData%\[RandomString] in which it stores the rogue antivirus.
The malware modifies the hosts file (%System%\drivers\etc\hosts) which redirects each entry of the site mentioned bellow to a known search engine webpage. The modified entries are :
74.125.45.100 4-open-davinci.com
74.125.45.100 securitysoftwarepayments.com
74.125.45.100 privatesecuredpayments.com
74.125.45.100 secure.privatesecuredpayments.com
74.125.45.100 getantivirusplusnow.com
74.125.45.100 secure-plus-payments.com
74.125.45.100 www.getantivirusplusnow.com
74.125.45.100 www.secure-plus-payments.com
74.125.45.100 www.getavplusnow.com
74.125.45.100 safebrowsing-cache.google.com
74.125.45.100 urs.microsoft.com
74.125.45.100 www.securesoftwarebill.com
74.125.45.100 secure.paysecuresystem.com
74.125.45.100 paysoftbillsolution.com
74.125.45.100 protected.maxisoftwaremart.com
It creates a startup registry value "Enterprise Suite" in the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run in order to run every time the operating system starts. (Daniel Chipiristeanu, virus researcher)
HOW TO REMOVE FAKEAV TROJAN
It is suggested to use Bitdefender or any strong Trojan Remover to remove this trojan.
74.125.45.100 4-open-davinci.com
74.125.45.100 securitysoftwarepayments.com
74.125.45.100 privatesecuredpayments.com
74.125.45.100 secure.privatesecuredpayments.com
74.125.45.100 getantivirusplusnow.com
74.125.45.100 secure-plus-payments.com
74.125.45.100 www.getantivirusplusnow.com
74.125.45.100 www.secure-plus-payments.com
74.125.45.100 www.getavplusnow.com
74.125.45.100 safebrowsing-cache.google.com
74.125.45.100 urs.microsoft.com
74.125.45.100 www.securesoftwarebill.com
74.125.45.100 secure.paysecuresystem.com
74.125.45.100 paysoftbillsolution.com
74.125.45.100 protected.maxisoftwaremart.com
It creates a startup registry value "Enterprise Suite" in the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run in order to run every time the operating system starts. (Daniel Chipiristeanu, virus researcher)
HOW TO REMOVE FAKEAV TROJAN
It is suggested to use Bitdefender or any strong Trojan Remover to remove this trojan.
No comments:
Post a Comment