Home / malwarePDF  

Win32/FakePAV


First posted on 04 May 2012.
Source: Microsoft

Aliases :

Win32/FakePAV is also known as Windows Attention Utility (other), Clean This (other), Peak Protection 2010 (other), AntiSpy Safeguard (other), Major Defense Kit (other), Pest Detector (other), fake Microsoft Security Essentials (other), ThinkPoint (other), Privacy Guard 2010 (other), Palladium Pro (other), Red Cross Antivirus (other), LizaMoon SQL injection (other), Windows Passport Utility (other), Windows Stability Center (other), Windows Process Regulator (other) more.

Explanation :



Rogue:Win32/FakePAV is a rogue that displays messages that imitate Microsoft Security Essentials threat reports in order to entice the user into downloading and paying for a rogue security scanner. The rogue persistently terminates numerous processes such as Windows Registry Editor, Internet Explorer, Windows Restore and other utilities and applications.

Installation
Rogue:Win32/FakePAV may be encountered while browsing various websites. The site may run JavaScript that imitates a security scan in progress, such as the following: This script responsible for displaying this graphic is detected as Rogue:JS/FakePAV. If the user clicks on the "Start Protection" button, it downloads fake security software that is detected as Rogue:Win32/FakePAV. When run, Rogue:Win32/FakePAV may copy itself as one of the following:

  • %APPDATA%\hotfix.exe
  • %APPDATA%\defender.exe
  • %APPDATA%\gog.exe
The registry is modified to run the rogue at each Windows start, for example: In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunSets value: "Shell"With data: "%APPDATA%\hotfix.exe" or In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunSets value: "tmp"With data: "%APPDATA%\defender.exe" This component of Rogue:Win32/FakePAV continually enumerates running processes. If it finds a process that is in the following list, it immediately terminates it: ACDaemon.exe
Acrobat.exe
Acrobat_sl.exe
AcroRd32.exe
Acrotray.exe
ACService.exe
Adobe Media Player.exe
Adobe_Updater.exe
AdobeARM.exe
AdobeUpdater.exe
aim.exe
aim6.exe
apdproxy.exe
AppleMobileDeviceHelper.exe
AppleMobileDeviceService.exe
ApplicationUpdater.exe
Babylon.exe
BabylonAgent.exe
Bandoo.exe
BandooUI.exe
BcmSqlStartupSvc.exe
BDTUpdateService.exe
bittorrent.exe
BJMyPrt.exe
CEC_MAIN.exe
chrome.exe
CLCapSvc.exe
CLMLSvc.exe
CLMSServer.exe
CLSched.exe
cmd.exe
COCIManager.exe
CSmileysIM.exe
CTsvcCDA.exe
DellVideoChat.exe
DesktopWeather.exe
DivXUpdate.exe
DVDAgent.exe
DVDLauncher.exe
EasyShare.exe
ehmsas.exe
ehRecvr.exe
ezprint.exe
firefox.exe
FlashUtil10a.exe
FlashUtil10b.exe
FlashUtil10c.exe
FlashUtil10d.exe
FlashUtil10e.exe
FlashUtil10h_ActiveX.exe
FlashUtil10i_ActiveX.exe
FrostWire.exe
gamevance32.exe
GoogleDesktop.exe
GoogleDesktopCrawl.exe
GoogleDesktopDisplay.exe
GoogleDesktopIndex.exe
GoogleToolbarInstaller_updater_signed.exe
GoogleToolbarUser.exe
GoogleUpdater.exe
ICQ Service.exe
IELowutil.exe
IEMonitor.exe
IEUser.exe
iexplore.exe
iPodService.exe
iTunes.exe
iTunesHelper.exe
iviRegMgr.exe
iWinTrusted.exe
java.exe
javaw.exe
KodakSvc.exe
lexbces.exe
LimeWire.exe
LogitechDesktopMessenger.exe
LogitechUpdate.exe
LWS.exe
mcrdsvc.exe
Monitor.exe
MSCamS32.exe
msmsgs.exe
msn.exe
msnmsgr.exe
MySpaceIM.exe
NBService.exe
NkMonitor.exe
NMBgMonitor.exe
NMIndexingService.exe
NMIndexStoreSvr.exe
onenotem.exe
ooVoo.exe
opera.exe
outlook.exe
PCMAgent.exe
pctsAuxs.exe
pctsSvc.exe
PDVDDXSrv.exe
PDVDServ.exe
PhotoshopElementsFileAgent.exe
PictureMover.exe
plugin-container.exe
PMVService.exe
prismxl.sys
qttask.exe
Quickcam.exe
Reader_sl.exe
RealPlay.exe
realsched.exe
regedit.exe
RichVideo.exe
RoxWatch9.exe
rstrui.exe
Safari.exe
SeaPort.exe
SearchProtection.exe
shellmon.exe
SiteRankTray.exe
Skype.exe
SkypeNames.exe
SkypeNames2.exe
skypePM.exe
SmoothView.exe
SoftwareUpdate.exe
sprtsvc.exe
SweetIM.exe
taskmgr.exe
tfswctrl.exe
TNaviSrv.exe
TomTomHOMERunner.exe
TomTomHOMEService.exe
traybar.exe
TVAgent.exe
TWebCamera.exe
TWebCameraSrv.exe
ULCDRSvr.exe
update.exe
uTorrent.exe
ViewMgr.exe
Weather.exe
WebcamDell.exe
WerCon.exe
winamp.exe
winampa.exe
winword.exe
wlcomm.exe
wlidsvc.exe
WLIDSvcM.exe
wmplayer.exe
wzqkpick.exe
YahooAUService.exe
YahooMessenger.exe
YMailAdvisor.exe
ymsgr_tray.exe
YouCam.exe
ZuneLauncher.exe The rogue may display an imitation of a Microsoft Security Essentials threat report. If the user clicks "Show details" it displays the name of the program it terminated: Note that the process is terminated immediately, meaning the program is effectively blocked from executing, regardless of the action the user takes in response to the rogue's messages. If the user clicks either the "Clean computer" or "Apply actions" button, the rogue then displays the message "Unable to remove threat". as shown below: When the user clicks "Scan Online", the rogue displays the following dialog: After a few seconds, this is replaced by: The rogue then restarts the computer. After restart, the rogue is loaded instead of Windows Explorer and it displays its fake interface, for example, "Clean This", "ThinkPoint" or "Windows Attention Utility", which pretends to scan the computer and find malware:











If you try to close the rogue's window, it displays the message: "Current settings don't allow unprotected startup. Please check your settings."



If the user tries to run Task Manager (for example, by pressing CTRL + ALT + Delete), the rogue immediately kills the process and displays the following message: If the user clicks "Settings", checks "Allow unprotected startup", then clicks "Save settings", the rogue window can be closed. Once the rogue's window has been closed, FakePAV launches "explorer.exe", which in turn displays the start menu, task bar and desktop. In other variants of Rogue:Win32/FakePAV, if the user clicks the "Scan online" button, the rogue displays a webpage which claims to show scan results from many different antivirus scanners. Most of the scanners it lists are legitimate, but only five of the scanners are listed as detecting the "threat". A button labeled "Free Install" is provided for each of these. These five programs are examples of copies of the rogue's fake scanner. Each has a different name and look, but otherwise they are the same program. They are called:
  • Red Cross Antivirus
  • Peak Protection 2010
  • Pest Detector 4.1
  • Major Defense Kit
  • AntiSpy Safeguard
All of these fake scanners display an installation wizard when run, as in the following example: They may drop a copy as one of the following: %APPDATA%\hotfix.exe %APPDATA%\antispy.exe The registry is modified to run the dropped copy at each Windows start in place of the default Windows shell "Explorer.exe": In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\WinlogonSets value: "Shell"With data: "%APPDATA%\<malware file>" (for example, "%APPDATA%\hotfix.exe" or "%APPDATA%\antispy.exe") After the install wizard has finished, the computer restarts.

Payload
Terminates processesThe rogue persistently terminates processes as mentioned above. Displays misleading alertsWhen the user logs in, the rogue displays an fake scanner that claims to detect malware on the computer. It does no scanning at all, but reports that some files have been restored and others can't be recovered. The "Palladium Pro" variant may also inform the user of errors in his hard drive. If the user clicks "Install heuristic module" the rogue displays a page where they can purchase a license for the rogue. Creates shortcutsSome variants of Rogue:Win32/FakePAV may create desktop shortcuts, using file names such as the following:
  • "Clean This.lnk"
Additional informationBelow are screen shots for different brandings of Rogue:Win32/FakePAV during Windows start. "Clean This" "Palladium Pro" "ThinkPoint" "AntiSpy Safeguard"



"Major Defense Kit"



"Pest Detector"



"Peak Protection 2010"



"Red Cross Antivirus"





Analysis by Hamish O'Dea

Last update 04 May 2012

 

TOP

Malware :