Home / malware Trojan.FakeAV.ABT
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.FakeAV.ABT is also known as Trojan:Win32/Winwebsec, a, variant, of, Win32/Kryptik.BWM, RogueAntiSpyware.Generic.
Explanation :
The fake antivirus tries to trick the user into registering the product by giving notices of false detections, more and more at each so called scan. Once on the machine it delivers pop-ups with system problems and fake infections.
It copies itself in %CommonAppData%[random number][random number].exe and removes the original file from which it was installed.
It modifies the following key value in order to run every time Windows starts : HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun - [ RandomNumer ] which points to the copy made in the %CommonAppData%.
It takes a more aggresive attitude in order to persuade the user of the danger the system is in by removing the desktop wallpaper (registry value : HKEY_CURRENT_USERControl PanelDesktop ["Wallpaper"] ) and blocking most application and showing a pop-up of a made-up infection.
Other simmilar pop-ups and the difficulty of closing the application have the same target.Last update 21 November 2011
