Home / malwarePDF  

Trojan:Win32/FakeCanine


First posted on 28 May 2009.
Source: SecurityHome

Aliases :

Trojan:Win32/FakeCanine is also known as Also Known As:Secure Antivirus Pro (other), not-a-virus:FraudTool.Win32.SecureAntivirusPro.g (Kaspersky), Trojan.FakeAV.MX (BitDefender), AntiVirus2008 (Symantec).

Explanation :

Trojan:Win32/FakeCanine is a family of trojans that claims to scan for malware and displays fake warnings of “malicious programs and viruses”. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats. They change the user’s default Start Page and may change other security-related registry settings. Trojan:Win32/FakeCanine variants have been observed to use names such as “Secure Antivirus Pro.” Note:
Reports of Rogue Antivirus programs have been more prevalent as of late. These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software. Some of these programs may display product names or logos in an apparently unlawful attempt to impersonate Microsoft products.

Symptoms
System changesSymptoms vary among different distributions of Trojan:Win32/FakeCanine, however, the presence of the following system changes (or similar) may indicate the presence of this program:

  • Presence of the following files, or similar (for example):
    %windir%AV.exe
  • Presence of the following registry modifications or similar (for example):
  • Under Key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
    Adds Value: “Secure AntiVirus Pro”
    With Data: “%windir%AV.EXE”
    Under key: HKCUSoftwareMicrosoftInternet ExplorerMain
    Sets Value: "Start Page"
    With Data: www.guarddog2009.com
    Sets Value: "OneTime"
    With Data: "1"
  • Display of the following images/dialogs, or similar (for example):


  • Trojan:Win32/FakeCanine is a family of trojans that claims to scan for malware and displays fake warnings of “malicious programs and viruses”. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats. They change the user’s default Start Page and may change other security-related registry settings. Trojan:Win32/FakeCanine variants have been observed to use names such as “Secure Antivirus Pro.”

    Installation
    When executed, Trojan:Win32/FakeCanine copies itself to %windir%AV.exe. It creates a registry entry, such as the following example, to ensure that it runs upon system startup: Under Key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
    Adds Value: “Secure AntiVirus Pro”
    With Data: “%windir%AV.EXE”

    Payload
    Modifies browser settingsTrojan:Win32/FakeCanine may change Internet Explorer’s Start Page to one that encourages affected users to purchase rogue security software by making registry changes such as the following: Under key: HKCUSoftwareMicrosoftInternet ExplorerMain
    Sets Value: "Start Page"
    With Data: www.guarddog2009.com
    Sets Value: "OneTime"
    With Data: "1"
    Displays fake alerts/warningsWhen run, the malware displays a dialog similar to the following example. It may re-display this dialog periodically. If the user clicks Yes, it launches its fake scanner, which may use a name such as “Secure Antivirus Pro”. This appears to perform a scan of the system and falsely reports that files on the system are infected. Once it has finished 'scanning', it displays the following dialog (or similar): Should the user click OK, it loads a registration page from a location, such as www.guarddog2009.com, in the user’s default web browser, and displays a dialog box that requests a registration code: If the user attempts to use various features of the scanner, the dialog pictured below is displayed. If 'Yes' is selected, it starts the registration process in the same manner outlined above.
    Modifies security settingsTrojan:Win32/FakeCanine may attempt to make modifications to, or delete, registry entries such as the following: Under key: HKCUSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer
    Modifies Value: NoRecentDocsHistory
    Modifies Value: ClearRecentDocsOnExit Under key: HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerAutoComplete
    Modifies Value: AutoSuggest Under key: HKCUSOFTWAREMicrosoftInternet ExplorerMain
    Modifies Value: FormSuggest Passwords
    Modifies Value: Use FormSuggest Under key: HKCUSOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsCache
    Modifies Value: Persistent

    Analysis by David Wood

    Last update 28 May 2009

     

    TOP