Home / malware Trojan:Win32/FakePowav.B
First posted on 18 May 2009.
Source: SecurityHomeAliases :
Trojan:Win32/FakePowav.B is also known as Also Known As:Trojan:Win32/Malwarn (other), Win-Trojan/Fraudpack.728064 (AhnLab), Win32/Adware.WinXDefender (ESET), Trojan.Win32.FraudPack.amm (Kaspersky), Adware/Xpantivirus2008 (Panda), SpywareGuard2008 (Symantec).
Explanation :
Trojan:Win32/FakePowav.B is a variant of the Win32/FakePowav family that imitates the Microsoft Windows Malicious Software Removal Tool (MSRT). It displays false alerts of malware in order to convince users to pay money for security software.
Special Note:
Reports of Rogue Antivirus programs have been more prevalent as of late. These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software. Some of these programs may display product names or logos in an apparently unlawful attempt to impersonate Microsoft products. Use Microsoft Windows Defender, the Windows Live safety scanner (http://onecare.live.com/site/en-us/default.htm), or another up-to-date scanning and removal tool to detect and remove these threats and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.
Symptoms
Symptoms vary among different distributions of Trojan:Win32/FakePowav.B, however, the presence of the following system changes (or similar) may indicate the presence of this program:Presence of the following files, or similar (for example):
%PROGRAM_FILES%MalwareRemovalMalwareRemoval.exe
%PROGRAM_FILES%MalwareRemovalSecurity Center.exe
%APPDATA%1spl.ini
%APPDATA%MalwareRemovalMalwareRemoval.iniDisplay of the following images/dialogs, or similar (for example):
Trojan:Win32/FakePowav.B is a variant of the Win32/FakePowav family that imitates the Microsoft Windows Malicious Software Removal Tool (MSRT). It displays false alerts of malware in order to convince users to pay money for security software.
Installation
When executed Trojan:Win32/FakePowav.B copies itself to the following location:%PROGRAM_FILES%MalwareRemovalMalwareRemoval.exe It also drops the file:%PROGRAM_FILES%MalwareRemovalSecurity Center.exe and may create the following non-malicious files:%APPDATA%1spl.ini %APPDATA%MalwareRemovalMalwareRemoval.ini
Payload
Displays fake alertsTrojan:Win32/FakePowav.B displays the following message: and then a fake MSRT scan window, as shown below: At this time it enumerates and opens files and registry keys to make it appear that it is scanning; however, it does not read any data from the files or registry keys. When it's finished, it displays the following dialog: Clicking "Back" starts the fake scan again. Clicking "Finish" displays the following: while clicking cancel closes the window but displays this popup from the icon in the system tray: Clicking this popup message also displays the "OEM Purchase Center" (displayed above). Clicking any of the "purchase" buttons on the "OEM Purchase Center" dialog launches the browser to display a shopping page on the domain 'oem-micro-store.com'. The file 'Security Center.exe' shows a fake Windows Security Center dialog. This shows the same information regardless of the system's actual firewall, automatic updates and virus protection status. Clicking on the "recommendations" button also launches the browser to display a page from 'oem-micro-store.com'.
Analysis by Hamish O'DeaLast update 18 May 2009