Home / malware

PDF

TrojanDownloader:Win32/FakeIA.A

First posted on 28 May 2009.
Source: SecurityHome

Aliases :

TrojanDownloader:Win32/FakeIA.A is also known as Also Known As:Trojan.FakeAlert.AFL (BitDefender), Trojan.Fakeavalert (Symantec), Win32/Adware.Antivirus2008 (ESET).

Explanation :

TrojanDownloader:Win32/FakeIA.A is a trojan downloader and component of the rogue program Trojan:Win32/InternetAntivirus.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

The display of the following messages:

TrojanDownloader:Win32/FakeIA.A is a trojan downloader and component of the rogue program Trojan:Win32/InternetAntivirus.

Installation
Win32/FakeIA.A is installed by Trojan:Win32/InternetAntivirus and is dropped to a variable location using a variable file name, for example:
C:WINDOWSsystem32MicrosoftProtectS-1-5-18yoroutand.exe. When executed, Win32/FakeIA.A modifies the registry to execute at each Windows start. Adds value: <malware filename without extension> (e.g. "byoroutand")
With data: <malware path and filename> (e.g. "C:WINDOWSsystem32MicrosoftProtectS-1-5-18yoroutand.exe")To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun TrojanDownloader:Win32/FakeIA.A injects code into Internet Explorer and periodically displays the following page instead of the web page the user was attempting to view: The "click here" link directs the browser to a purchase page for Win32/InternetAntivirus:

Additional InformationFor more information about Trojan:Win32/InternetAntivirus, see our description elsewhere in the encyclopedia. TrojanDownloader:Win32/FakeIA.A may also make the following registry modification:Adds value: "ParameterName"With data: <malware filename without extension>To subkey: HKCUSoftwareMicrosoftInternet Explorer

Analysis by Dan Nicolescu and Hamish O'Dea

Last update 28 May 2009

 

TOP