Home / malware Trojan:Win32/FakeXPA
First posted on 04 February 2009.
Source: SecurityHomeAliases :
Trojan:Win32/FakeXPA is also known as Also Known As:Win-Trojan/Downloader.56320.M (AhnLab), Win32/Adware.XPAntivirus (ESET), not-a-virus:Downloader.Win32XpAntivirus.b (Kaspersky), FakeAlert-AB.dldr (McAfee), W32/DLoader.FKAI (Norman), Mal/Generic-A (Sophos), XPAntivirus (Sunbelt Software), Downloader.MisleadApp (Symantec), XP Antivirus (other), Antivirus 2009 (other), Antivirus 2010 (other), Antivirus 360 (other).
Explanation :
Trojan:Win32/FakeXPA is a family of programs that claims to scan for malware and displays fake warnings of “malicious programs and viruses”. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats.
Special Note:
Reports of rogue Antivirus programs have been more prevalent as of late. These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software. Some of these programs, such as Trojan:Win32/Antivirusxp and Program:Win32/FakeRednefed may display product names or logos in an apparently unlawful attempt to impersonate Microsoft products. These products may represent themselves as “Antivirus XP”, “AntivirusXP 2008”, “WinDefender 2008”, “XP Antivirus”, or similar. Use Microsoft Windows Defender, the Windows Live safety scanner (http://onecare.live.com/site/en-us/default.htm), or another up-to-date scanning and removal tool to detect and remove these threats and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.
Symptoms
System ChangesThe following system changes may indicate the presence of Trojan:Win32/FakeXPA (or similar):Presence of these files (for example):
%ProgramFiles%XP Antivirusxpa.exe
%ProgramFiles%XP Antivirusxpantiviruspro.exe
%ProgramFiles%XP Antivirusxpa2008.exePresence of this registry value and data:
Value: "XP Antivirus"
With data: "%ProgramFiles%XP Antivirusxpantiviruspro.exe"
In subkey: HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRunPrompts similar to the graphic below, misleadingly stating that the system is infected
Trojan:Win32/FakeXPA is a family of programs that claims to scan for malware and displays fake warnings of “malicious programs and viruses”. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats. This trojan may display a dialog that mimics the Windows Security Center.
Installation
Members of the Trojan:Win32/FakeXPA family use various installation methods, with filenames and system modifications that can differ from one variant to the next. Trojan:Win32/FakeXPA has been distributed with several different names such as the following examples:
XP AntivirusAntivirus 2009Antivirus 2010Antivirus 360 The user interface and some other details vary to reflect each variant’s individual branding. Please see below for examples of different distributions of this trojan family. XP AntivirusThe following system changes may be made by Win32/FakeXPA when distributed as 'XP Antivirus'.When installed, the following file folders are created:%ProgramFiles%XP Antivirus <logged on user profile>Start MenuXP Antivirus 2008 The installer may place the following files into the '%ProgramFiles%XP Antivirus' folder:xpa.exe xpantiviruspro.exe xpa2008.exe Next, the registry is modified to run a copy of Win32/XPAntiVirus at each Windows start.Adds value: "XP Antivirus"With data: "%ProgramFiles%XP Antivirusxpantiviruspro.exe"To subkey: HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun Additionally, the installer may add the value "XP Antivirus" to this subkey:HKEY_CURRENT_USERSoftware When Trojan:Win32/FakeXPA is run from the Start Menu, it launches the installed executable. When the user 'scans' the system, the program may display false detection alerts. For example, when this program was run on a new and clean installation of Microsoft Windows XP Professional, the following warning was displayed: In addition to the above, Trojan:Win32/FakeXPA continuously displays messages stating that the system is infected, as shown below. Antivirus 2009Please see below for examples of interface, fake alerts, false scanning results, and pop-ups used by Win32/FakeXPA when distributed as 'XP Antivirus'. Below is a sample of a false report displayed on a clean machine: Clicking on the "Remove all threats now" button may display the following registration page: Win32/FakeXPA periodically displays the following message in the system tray: Clicking on the icon brings up this imitation and bogus Windows Security Center page: All links under "Resources" and "Manage security settings for" are actually the same URL that points to the same order page at the site 'antivirus-database.com'. Win32/FakeXPA also periodically displays the following message: Antivirus 2010The Antivirus 2010 installer downloads and installs several files from the download-av2010.info domain, including:AV2010.exe This is the fake scanner itself. In addition to the scanner window, it displays an icon in the system tray (and popup messages from that icon), popup alerts warning of "infections", "database update" dialogs and a window that imitates the Windows Security Center.
It may be saved as:
C:Documents and SettingsAll UsersApplication DataAV2010AV2010.exe. See below for examples of the icon, pop-up alerts, update dialog and imitation Windows Security Center:autostart.exe This component launches the fake scanner and can also download the latest version of any components if, for example, they are removed. It may be saved as:
C:Documents and SettingsAll UsersApplication DataSysLoader.exe. See below for an example of the fake scanning interface: It adds an entry to the registry so it is launched each time Windows starts, for example:
Value: Gamma Loader
Data: "C:Documents and SettingsAll UsersApplication DataSysLoader.exe" /adjustment
Key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun The '/adjustment' parameter tells the launcher to be "silent", i.e. not show the installation dialog.IEDefender.dll This component may be saved to:
C:Documents and SettingsAll UsersApplication DataAV2010IEDefender.dll It is installed as a BHO in order to display fake "drop-down" messages within Internet Explorer. Clicking on the message directs IE to a web page that allows the user to purchase "Antivirus 2010". Please see below for an example: When registering IEDefender.dll as a BHO, the following registry changes may be made: Key: HKCRAppID{3C40236D-990B-443C-90E8-B1C07BCD4A68}
Value: (Default)
Data: IEDefender Key: HKCRAppIDIEDefender.DLL
Value: AppID
Data: {3C40236D-990B-443C-90E8-B1C07BCD4A68} Key: HKCRIEDefender.IEDefenderBHO.1
Value: (Default)
Data: IEDefenderBHO Class Key: HKCRIEDefender.IEDefenderBHO.1CLSID
Value: (Default)
Data: {FC8A493F-D236-4653-9A03-2BF4FD94F643} Key: HKCRIEDefender.IEDefenderBHO
Value: (Default)
Data: IEDefenderBHO Class Key: HKCRIEDefender.IEDefenderBHOCLSID
Value: (Default)
Data: {FC8A493F-D236-4653-9A03-2BF4FD94F643} HKCRIEDefender.IEDefenderBHOCurVer
Value: (Default)
Data: HelloWorld.HelloWorldBHO.1 Key: HKCRCLSID{FC8A493F-D236-4653-9A03-2BF4FD94F643}
Value: (Default)
Data: IEDefenderBHO Class Key: HKCRCLSID{FC8A493F-D236-4653-9A03-2BF4FD94F643}ProgID
Value: (Default)
Data: IEDefender.IEDefenderBHO.1 Key: HKCRCLSID{FC8A493F-D236-4653-9A03-2BF4FD94F643}VersionIndependentProgID
Value: (Default)
Data: IEDefender.IEDefenderBHO Key: HKCRCLSID{FC8A493F-D236-4653-9A03-2BF4FD94F643}InprocServer32
Value: (Default)
Data: C:Documents and SettingsAll UsersApplication DataAV2010IEDefender.dll Key: HKCRCLSID{FC8A493F-D236-4653-9A03-2BF4FD94F643}InprocServer32
Value: ThreadingModel
Data: Apartment Key: HKCRCLSID{FC8A493F-D236-4653-9A03-2BF4FD94F643}TypeLib
Value: (Default)
Data: {705FD64B-2B7B-4856-9337-44CA1DA86849} Key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{FC8A493F-D236-4653-9A03-2BF4FD94F643}
Value: (Default)
Data: IEDefenderBHO Key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{FC8A493F-D236-4653-9A03-2BF4FD94F643}
Value: NoExplorer
Data: 1 Key: HKCRTypeLib{705FD64B-2B7B-4856-9337-44CA1DA86849}1.0
Value: (Default)
Data: HelloWorld 1.0 Type Library Key: HKCRTypeLib{705FD64B-2B7B-4856-9337-44CA1DA86849}1.0FLAGS
Value: (Default)
Data: 0 Key: HKCRTypeLib{705FD64B-2B7B-4856-9337-44CA1DA86849}1.0 win32
Value: (Default)
Data: C:Documents and SettingsAll UsersApplication DataAV2010IEDefender.dll Key: HKCRTypeLib{705FD64B-2B7B-4856-9337-44CA1DA86849}1.0HELPDIR
Value: (Default)
Data: C:Documents and SettingsAll UsersApplication DataAV2010 Key: HKCRInterface{7BC7565C-5062-43CE-8797-DC2C271140A9}
Value: (Default)
Data: IHelloWorldBHO Key: HKCRInterface{7BC7565C-5062-43CE-8797-DC2C271140A9}ProxyStubClsid
Value: (Default)
Data: {00020424-0000-0000-C000-000000000046} Key: HKCRInterface{7BC7565C-5062-43CE-8797-DC2C271140A9}ProxyStubClsid32
Value: (Default)
Data: {00020424-0000-0000-C000-000000000046} Key: HKCRInterface{7BC7565C-5062-43CE-8797-DC2C271140A9}TypeLib
Value: (Default)
Data: {705FD64B-2B7B-4856-9337-44CA1DA86849} Key: HKCRInterface{7BC7565C-5062-43CE-8797-DC2C271140A9}TypeLib
Value: Version
Data: 1.0svchost.exe This program displays a fake "blue screen" crash screen, followed by a fake restart screen. It may be saved to:
C:Documents and SettingsAll UsersApplication DataAV2010svchost.exe.
The installer also creates the following shortcut on the desktop:
C:Documents and SettingsAll UsersDesktopAV2010.lnk and a folder containing two items in the start menu:
C:Documents and SettingsAll UsersStart MenuProgramsAV2010AV2010.lnk
C:Documents and SettingsAll UsersStart MenuProgramsAV2010Uninstall.lnk Win32/FakeXPA may also make the following registry modifications when distributed as Antivirus 2010:
HKCUSoftwareAV2010AV2010{F275E931-AFEC-4f70-B0D4-CC2731B945E0}
Value: {9BB761E6-288E-4782-8538-9069141F34B6}
Data: 1 Key: HKCUSoftwareAV2010AV2010{F275E931-AFEC-4f70-B0D4-CC2731B945E0}
Value: {BE8A5069-82B0-4214-98DB-715C2B6D3117}
Data: D8 07 0C 00 01 00 16 00 15 00 39 00 27 00 E7 03
Analysis by Shali Hsieh, Durga Kumar and Hamish O'DeaLast update 04 February 2009