Home / malwarePDF  

Trojan:Win32/FakeSmoke


First posted on 30 June 2009.
Source: SecurityHome

Aliases :

Trojan:Win32/FakeSmoke is also known as Also Known As:Win32/WinBlueSoft.A (CA), Trojan-Downloader.Win32.FraudLoad.vtgpk (Kaspersky).

Explanation :

Trojan:Win32/FakeSmoke is a family of trojans consisting of a fake Security Center interface and a fake antivirus program. The fake Security Center interface displays fake security notifications in the system and is designed to look identical to the legitimate Windows Security Center. It prompts the user to register the fake antivirus program. The fake antivirus program may be known by several names, including WinBlueSoft and WiniBlueSoft. This program pretends to scan for malware infections and then displays a fake notification that malware has been detected in the system. It then prompts the user to enter a registration code, which is available only if the user purchases the fake product.

Special Note:

Reports of Rogue Antivirus programs have been more prevalent as of late. These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software. Some of these programs, such as Trojan:Win32/Antivirusxp and Program:Win32/FakeRednefed may display product names or logos in an apparently unlawful attempt to impersonate Microsoft products. These products may represent themselves as “Antivirus XP”, “AntivirusXP 2008”, “WinDefender 2008”, “XP Antivirus”, or similar. Use Microsoft Windows Defender, the Windows Live safety scanner (http://onecare.live.com/site/en-us/default.htm), or another up-to-date scanning and removal tool to detect and remove these threats and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.

Symptoms
Symptoms vary among different distributions of Trojan:Win32/FakeSmoke, however, the presence of the following system changes (or similar) may indicate the presence of this program:

  • Display of the following images/dialogs, or similar (for example):


  • Trojan:Win32/FakeSmoke is a family of trojans consisting of a fake Security Center interface and a fake antivirus program. The fake Security Center interface displays fake security notifications in the system and is designed to look identical to the legitimate Windows Security Center. It prompts the user to register the fake antivirus program. The fake antivirus program may be known by several names, including WinBlueSoft and WiniBlueSoft. This program pretends to scan for malware infections and then displays a fake notification that malware has been detected in the system. It then prompts the user to enter a registration code, which is available only if the user purchases the fake product.

    Installation
    When run, the fake Security Center component copies itself to the Windows system folder using a variety of file names. It then adds a registry entry under the following key so that it automatically runs every time Windows starts:
  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun
  • This component may be installed in the system by another malware. When installed, the fake antivirus scanner component copies its files into subfolders in the Program Files folder using the following format:
  • %ProgramFiles%<Product Name> Software<Product Name>
  • where <Product name> is the product name. For example: %ProgramFiles%WinBlueSoft SoftwareWinBlueSoft A start menu item is creates and an icon is placed in the desktop that may look like the following: It also modifies the system registry so that it automatically runs every time Windows starts: Adds value: <Product name>
    With data: %ProgramFiles%<Product Name> Software<Product Name><Product Name>.exe -min
    To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun For example: Adds value: WinBlueSoft
    With data: %ProgramFiles%WinBlueSoft SoftwareWinBlueSoftWinBlueSoft.exe -min
    To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun

    Payload
    Displays fake Security Center interfaceWhen exeucted, Trojan:Win32/FakeSmoke displays a notification such as the following: It is also available in French, Italian, Russian, or German, as in the following: The above notification may appear in both lower left and lower right areas of the desktop. They are meant to convey a sense of urgency for the user that the system is being attacked. Should the user click on the balloon or "Yes" in the notification, the fake Security Center is displayed: Note that the fake Security Center is almost identical to the legitimate Windows Security Center. Clicking on any of the links in the above interface displays the following interface: The "Cancel" button is unavailable for at least five seconds before the user can dismiss the dialog. If the user clicks on the "OK" button, the default Web browser opens to a location selling the fake antivirus scanner, such as 'winbluesoft.com or 'winibluesoft.com'. It may also display the following balloon: Displays fake antivirus scannerOnce installed, the fake Security Center component of Trojan:Win32/FakeSmoke drops a number of extraneous files containing random characters into the Windows and Windows system folders. The file names used often begin with digits, contain slightly modified malware types, and have extensions used by executable files. Examples may be similar to the following:
  • 9z722spambot5df.cpl
  • 1a65dow9loazer2895.dll
  • 5597backd90rz580.ocx
  • 3795wozm275.exe
  • These files are intended to be "detected" by the fake scanner. When run the fake scanner performs a scan of the user's system, reporting malware infections for each of the "junk" files. Upon completion of the scanning, the following dialog is displayed: If the user chooses Clean, he or she is prompted to enter a registration code: Clicking on "Get Registration Code" results in the default Web browser opening to a location selling the fake antivirus scanner, such as 'winbluesoft.com or 'winibluesoft.com'. Should the user choose not to remove the supposed threats, the following is displayed: If all of these dialogs are dismissed, the main user interface is displayed, along with a list of fake threats that this trojan claims to have detected. If the user attempts to remove any of them, the "Spyware Found" dialog is displayed again.

    Analysis by David Wood

    Last update 30 June 2009

     

    TOP