Home / malwarePDF  

Rogue:Win32/FakeRean


First posted on 13 January 2012.
Source: Microsoft

Aliases :

Rogue:Win32/FakeRean is also known as XP Total Security 2012 (other), Vista Total Security 2012 (other), Win 7 Total Security 2012 (other), XP Home Security 2012 (other), Vista Home Security 2012 (other), Win 7 Home Security 2012 (other), XP Home Security (other), Vista Home Security (other), Win 7 Home Security (other), XP Guard (other), Vista Guard (other), Win 7 Guard (other), XP Anti-Virus 2011 (other), Vista Anti-Virus 2011 (other), Win 7 Anti-Virus 2011 (other) more.

Explanation :

Win32/FakeRean is a family of programs that claim to scan for malware and display fake warnings of malicious files. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats. Special Note:
Reports of Rogue Antivirus programs have been more prevalent as of late. These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software. Some of these programs may display product names or logos in an apparently unlawful attempt to impersonate Microsoft products. To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products will detect and remove this threat:

  • Microsoft Security Essentials
  • Windows Defender
  • Microsoft Safety Scanner
  • Microsoft Windows Malicious Software Removal Tool
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.
Top

Win32/FakeRean is a family of programs that claim to scan for malware and display fake warnings of malicious files. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats. Win32/FakeRean has been distributed with several different names. The user interface and some other details vary to reflect each variant's individual branding. Current variants of FakeRean choose a name at random, from a number of possibilities determined by the operating system of the affected system. Please see below for all the possible combinations that may be used to brand the interface and associated content, including websites, etc. in recent variants: Platform: Windows 7 Platform: Windows Vista Platform: Windows XP Win 7 Internet Security 2010 Vista Internet Security 2010 XP Internet Security 2010 Win 7 Internet Security Vista Internet Security XP Internet Security Win 7 Antivirus Pro 2010 Vista Antivirus Pro 2010 XP Antivirus Pro 2010 Win 7 Antivirus Pro Vista Antivirus Pro XP Antivirus Pro Win 7 Antivirus 2010 Vista Antivirus 2010 XP Antivirus 2010 Win 7 Antivirus Vista Antivirus XP Antivirus Win 7 Defender 2010 Vista Defender 2010 XP Defender 2010 Win 7 Guardian Vista Guardian XP Guardian Win 7 Guardian 2010 Vista Guardian 2010 XP Guardian 2010 Antivirus Win 7 2010 Antivirus Vista 2010 Antivirus XP 2010 Win 7 Antispyware 2010 Vista Antispyware 2010 XP Antispyware 2010 Win 7 Defender Vista Defender XP Defender Win 7 Defender Pro Vista Defender Pro XP Defender Pro Win 7 Smart Security Vista Smart Security XP Smart Security Win 7 Smart Security 2010 Vista Smart Security 2010 XP Smart Security 2010 Win 7 Security Tool Vista Security Tool XP Security Tool Win 7 Security Tool 2010 Vista Security Tool 2010 XP Security Tool 2010 Win 7 AntiMalware Vista AntiMalware XP AntiMalware Win 7 AntiMalware 2010 Vista AntiMalware 2010 XP AntiMalware 2010 Win 7 Internet Security Vista Internet Security XP Internet Security Antivirus Win 7 Antivirus Vista Antivirus XP Antispyware Win 7 Antispyware Vista Antispyware XP Total Win 7 Security Total Vista Security Total XP Security Win 7 Security Vista Security XP Security Win 7 Security Center XP Defender Pro 2010 InstallationWin32/FakeRean installers download several archives in either ZIP or CAB format from a remote location via HTTP. For example:
  • Binaries1.cab
  • Binaries2.cab
  • Binaries3.cab
The installer then extracts these files into a directory it creates under %program files%. The installer may display a window before it begins downloading, for example:



While downloading, the installer may display a window like the following:




Different variants of Win32/FakeRean use different names and branding. The directories and file names used depend on the branding used by each variant. For example, these files are installed by the variant that calls itself "XP Antispyware 2009": %Program Files%\XP_AntiSpyware\AVEngn.dll
%Program Files%\XP_AntiSpyware\htmlayout.dll
%Program Files%\XP_AntiSpyware\pthreadVC2.dll
%Program Files%\XP_AntiSpyware\Uninstall.exe
%Program Files%\XP_AntiSpyware\wscui.cpl
%Program Files%\XP_AntiSpyware\XP_Antispyware.cfg
%Program Files%\XP_AntiSpyware\XP_AntiSpyware.exe
%Program Files%\XP_AntiSpyware\data\daily.cvd
%Program Files%\XP_AntiSpyware\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
%Program Files%\XP_AntiSpyware\Microsoft.VC80.CRT\msvcm80.dll
%Program Files%\XP_AntiSpyware\Microsoft.VC80.CRT\msvcp80.dll
%Program Files%\XP_AntiSpyware\Microsoft.VC80.CRT\msvcr80.dll In another example, these files are installed by the variant that calls itself "AntispywareXP 2009": %Program Files%\AntiSpywareXP2009\AVEngn.dll
%Program Files%\AntiSpywareXP2009\htmlayout.dll
%Program Files%\AntiSpywareXP2009\pthreadVC2.dll
%Program Files%\AntiSpywareXP2009\Uninstall.exe
%Program Files%\AntiSpywareXP2009\wscui.cpl
%Program Files%\AntiSpywareXP2009\AntiSpywareXP2009.cfg
%Program Files%\AntiSpywareXP2009\AntiSpywareXP2009.exe
%Program Files%\AntiSpywareXP2009\data\daily.cvd
%Program Files%\AntiSpywareXP2009\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
%Program Files%\AntiSpywareXP2009\Microsoft.VC80.CRT\msvcm80.dll
%Program Files%\AntiSpywareXP2009\Microsoft.VC80.CRT\msvcp80.dll
%Program Files%\AntiSpywareXP2009\Microsoft.VC80.CRT\msvcr80.dll Win32/FakeRean also adds shortcuts to the current user's Start menu, desktop and quick launch bar, for example:
  • %Start menu%\Programs\XP_AntiSpyware\XP_AntiSpyware.lnk
  • %Start menu%\Programs\XP_AntiSpyware\Uninstall.lnk
  • %Desktop%\XP_AntiSpyware.lnk
  • %APPDATA%\Microsoft\Internet Explorer\Quick Launch\XP_AntiSpyware.lnk
or
  • %Start menu%\Programs\AntiSpywareXP2009\AntiSpywareXP2009.lnk
  • %Start menu%\Programs\AntiSpywareXP2009\Uninstall.lnk
  • %Desktop%\AntiSpywareXP2009.lnk
  • %APPDATA%\Microsoft\Internet Explorer\Quick Launch\AntiSpywareXP2009.lnk
Example desktop icon: Win32/FakeRean may also modify the registry in order to ensure that it runs whenever the user's Internet browser is launched from the Start menu. Adds value: (Default)
With data:"<malware file name>" /START <location of browser>
To subkey: HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command For example:Adds value: (Default)
With data: "C:\Documents and Settings\Administrator\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
To subkey: HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command Payload Displays Fake Alerts, and Fake Scanning ResultsWin32/FakeRean adds a registry entry to launch its fake scanner automatically each time Windows starts. For example:
Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Value: XP Antispyware 2009
Data: ""%Program Files%\XP_AntiSpyware\XP_AntiSpyware.exe" /hide" orKey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Value: AntiSpywareXP 2009
Data: ""%Program Files%\AntiSpywareXP2009\AntiSpywareXP2009.exe" /hide" The fake scanner GUI may look like this, for example:



or this:



When a "scan" is completed, it displays a message like this: or this: Periodically it may display fake warning pop-ups from its system tray icon, for example:
Win32/FakeRean also installs a control panel applet which imitates the Windows security center:
  • <system folder>\_scui.cpl
For example:
Clicking any of the buttons or links in this window merely opens the default browser and opens a page to buy the fake product online. Modifies system security settingsIn order to prevent the real Windows security center from being displayed in the control panel, Win32/FakeRean sets these registry entries: Key: HKCU\Control Panel\don't load
Value: scui.cpl
Data: "No"
Value: wscui.cpl
Data: "No" Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value: ForceClassicControlPanel
Data: 0x1 It also sets registry entries to stop notifications from the real security center:
Key: HKLM\SOFTWARE\Microsoft\Security Center
Value: AntiVirusDisableNotify
Data: 0x1
Value: FirewallDisableNotify
Data: 0x1
Value: UpdatesDisableNotify
Data: 0x1 Win32/FakeRean may also add an uninstall entry, for example: Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XP_AntiSpyware\
Value: DisplayName
Data: "XP Antispyware 2009"
Value: UninstallString
Data: "%Program Files%\XP_AntiSpyware\Uninstall.exe"orKey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiSpywareXP2009
Value: DisplayName
Data: "AntiSpywareXP 2009"
Value: UninstallString
Data: "%Program Files%\AntiSpywareXP2009\Uninstall.exe" This usually does not uninstall the trojan; however, the shortcut added to the start menu ("Uninstall.lnk") may remove most of the program. The fake security center control panel applet (_scui.cpl) is left behind. While Win32/FakeRean pretends to scan the machine, it may create files with randomly generated files names, which it fills with random "junk" bytes. These are the files it reports as threats, presumably to make its claims seem more plausible. Modifies system settingsRecent variants of Win32/FakeRean make a number of changes to the registry in order to ensure that FakeRean's executable is executed every time a file with an '.exe' file extension is run. Win32/FakeRean may make the following registry modifications for this purpose: To subkey: HKCU\Software\Classes\.exe Sets value: "(Default)" With data: "secfile" To subkey: HKCU\Software\Classes\.exe Sets value: "Content Type" With data: "application/x-msdownload" To subkey: HKCU\Software\Classes\.exe\DefaultIcon Sets value: "(Default)" With data: "%1" To subkey: HKCU\Software\Classes\.exe\shell\open\command Sets value: "(Default)" With data:"C:\Documents and Settings\Administrator\Local Settings\Application Data\av.exe" /START "%1" %*" To subkey: HKCU\Software\Classes\.exe\shell\open\command Sets value: "(Default)" With data: "C:\Documents and Settings\Administrator\Local Settings\Application Data\av.exe" /START "%1" %*" To subkey: HKCU\Software\Classes\.exe\shell\open\command Sets value: "IsolatedCommand" With data: ""%1" %*" To subkey: HKCU\Software\Classes\.exe\shell\runas\command Sets value: "(Default)" With data: ""%1" %*" To subkey: HKCU\Software\Classes\.exe\shell\runas\command Sets value: "IsolatedCommand" With data: ""%1" %*" To subkey: HKCU\Software\Classes\.exe\shell\start\command Sets value:"(Default)" With data: ""%1" %*" To subkey: HKCU\Software\Classes\.exe\shell\start\command Sets value: "IsolatedCommand" With data:""%1" %*" To subkey: HKCU\Software\Classes\secfile Sets value: "(Default)" With data: "Application" To subkey: HKCU\Software\Classes\secfile Sets value: "Content Type" With data: "application/x-msdownload" To subkey: HKCU\Software\Classes\secfile\DefaultIcon Sets value: "(Default)" With data: "%1" To subkey: HKCU\Software\Classes\secfile\shell\open\command Sets value: "(Default)" With data: ""C:\Documents and Settings\Administrator\Local Settings\Application Data\av.exe" /START "%1" %*" To subkey: HKCU\Software\Classes\secfile\shell\open\command Sets value: "IsolatedCommand" With data: ""%1" %*" To subkey: HKCU\Software\Classes\secfile\shell\runas\command Sets value: "(Default)" With data: ""%1" %*" To subkey: HKCU\Software\Classes\secfile\shell\runas\command Sets value: "IsolatedCommand" With data: ""%1" %*" To subkey: HKCU\Software\Classes\secfile\shell\start\command Sets value: "(Default)" With data: ""%1" %*" To subkey: HKCU\Software\Classes\secfile\shell\start\command Sets value: "IsolatedCommand" With data: '"%1" %*" Additional InformationFakeRean may set a registry entry containing the date it was installed, for example:
Key: HKLM\Software\XP_Antispyware
Value: info
Data: "10/21/2008"

Analysis by Hamish O'Dea

Last update 13 January 2012

 

TOP