Home / malware

PDF

Trojan.FakeAlert.YF

First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.FakeAlert.YF is also known as Trojan.Downloader.Fakealert.R.

Explanation :

Description:

Trojan.FakeAlert.YF is a trojan that tricks the user into installing rogue security products.

Method of Infection:

When executed, Trojan.FakeAlert.YF drops three files in the %System% directory:
phc1soj0enfp.bmp
blphc1soj0enfp.scr
lphc1soj0enfp.exe
with names composed of random letters and numbers.

It adds the following registry entry to automatically execute itself on system startup:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunlphc1soj0enfp = "lphc1soj0enfp.exe"

The trojan also creates and executes a VBS file in the %Temp% folder, with the filename ".tt2.tmp.vbs".
The number is random.
The VBS file sets the current infected system setup as the system's restore point.

Then Trojan.FakeAlert.YF executes the screen saver (Sysinternals Bluescreen) designed to mislead the user into believing their system has crashed:



Payload:

Changes the desktop background color to blue:
HKCUControl PanelColorsBackground = 0 0 255

Changes the wallpaper position to centered:
HKCUControl PanelDesktopWallpaperStyle = 0
HKCUControl PanelDesktopTileWallpaper = 0

Sets the dropped (bitmap image) file as the desktop wallpaper:
HKCUControl PanelDesktopWallpaper = "%System%phc1soj0enfp.bmp"
HKCUControl PanelDesktopOriginalWallpaper = "%System%phc1soj0enfp.bmp"
HKCUControl PanelDesktopConvertedWallpaper = "%System%phc1soj0enfp.bmp"
This image contains the text mentioned on symptoms.

Executes the screen saver file:
HKCUControl PanelDesktopSCRNSAVE.EXE = "%System%lphc1soj0enfp.scr"

Activates the screen saver:
HKCUControl PanelDesktopScreenSaveActive = 1

Sets the system wait time to 600 seconds (10 minutes):
HKCUControl PanelDesktopScreenSaveTimeOut = 600

Sets a registry key to execute the screen saver without displaying the EULA:
HKCUSoftwareSysinternalsBluescreen Screen SaverEulaAccepted = 1

Prevents user from selecting the Background or Screen Saver tabs from Display in the Control Panel.
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemNoDispBackgroundPage = 1
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemNoDispScrSavPage = 1

Downloads and executes other trojan files:
The trojan contacts www.av-[removed]-2008.com and presents.avxp[removed].com which host rogue antispyware products, and downloads the alleged security products in a very insidious way.
The setup applications are hidden in an encrypted form inside gif images, like the one shown below.



After downloading the image, it extracts the obfuscated code, and executes it, which will keep nagging the victim about infections that do not exist on his system.
This technique is used to bypass any firewall and gateway settings.
Only active monitoring of the local filesystem could detect an imminent infection.

Last update 21 November 2011

 

TOP