Home / malware

PDF

Trojan.FakeAlert.ACR

First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.FakeAlert.ACR is also known as Backdoor.Win32.Frauder.ca;, Win32/TrojanDownloader.FakeAlert.IC, trojan;, Win32:FraudLoad-RM;, BDS/Frauder.CE.

Explanation :

When executed, this malware will drop the following files in %SYSDIR%:
blphc9pvj0e1ac.scr - this file will be set as the new screensaver and
it is detected by BitDefender as Trojan.FakeAlert.AAI
lphc9pvj0e1ac.exe - a copy of the initial file
phc9pvj0e1ac.bmp - the image used as wallpaper, detected by
BitDefender as Trojan.FakeAlert.AAF
In order to be executed at every system startup, it adds the following registry key:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
lphc9pvj0e1ac -> C:WINDOWSsystem32lphc9pvj0e1ac.exe
It sets the new wallpaper and screensaver by adding/modifying the registry keys presended below (after these modifications the user will not be able to modify his background image and/or screensaver):
HKCUControl PanelDesktop
OriginalWallpaper = C:WINDOWSsystem32phc9pvj0e1ac.bmp
TileWallpaper = 0
WallpaperStyle = 0
SCRNSAVE.EXE = C:WINDOWSsystem32lphc9pvj0e1ac.scr
ScreenSaveTimeOut = 600
Wallpaper = C:WINDOWSsystem32phc9pvj0e1ac.bmp
ConvertedWallpaper = C:WINDOWSsystem32phc9pvj0e1ac.bmp
HKCUSoftwareSysinternalsBluescreen Screen Saver
EulaAccepted = 0x00000001
HKLMSOFTWAREMicrosoftSoftware Notifier
InstallID = 83ee564f-bf54-4dca-a4ff-f5601fbdefac
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
NoDispScrSavPage = 0x00000001
NoDispBackgroundPage = 0x00000001

It will also attempt to download a rogue antivirus from http://antivirusxp-2008.net - wich, once installed, will alert the user about false infections detected on his computer in order to mislead him to buy the licensed version of this software.

After all these modifications, the current system state is saved as the "Last good restore point" using a VB script detected by BitDefender as Application.CleanSystemRestore.A.

Last update 21 November 2011

 

TOP