Home / malwarePDF  

Rogue:Win32/FakePAV


First posted on 30 August 2010.
Source: SecurityHome

Aliases :

Rogue:Win32/FakePAV is also known as Red Cross Antivirus (other), Peak Protection 2010 (other), AntiSpy Safeguard (other), Major Defense Kit (other), Pest Detector (other).

Explanation :

Win32/FakePAV is a rogue that displays messages that imitate Microsoft Security Essentials threat reports in order to entice the user into downloading and paying for a rogue security scanner. The rogue persistently terminates numerous processes such as Windows Registry Editor, Internet Explorer, Windows Restore and other utilities and applications.
Top

Win32/FakePAV is a rogue that displays messages that imitate Microsoft Security Essentials threat reports in order to entice the user into downloading and paying for a rogue security scanner. The rogue persistently terminates numerous processes such as Windows Registry Editor, Internet Explorer, Windows Restore and other utilities and applications. InstallationWhen run, Win32/FakePAV copies itself as the following: %APPDATA%\defender.exe The registry is modified to run the rogue at each Windows start. In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunSets value: "tmp"To data: "%APPDATA%\defender.exe" This component of Win32/FakePAV continually enumerates running processes. If it finds a process that is in the following list, it immediately terminates it: ACDaemon.exe
Acrobat.exe
Acrobat_sl.exe
AcroRd32.exe
Acrotray.exe
ACService.exe
Adobe Media Player.exe
Adobe_Updater.exe
AdobeARM.exe
AdobeUpdater.exe
aim.exe
aim6.exe
apdproxy.exe
AppleMobileDeviceHelper.exe
AppleMobileDeviceService.exe
ApplicationUpdater.exe
Babylon.exe
BabylonAgent.exe
Bandoo.exe
BandooUI.exe
BcmSqlStartupSvc.exe
BDTUpdateService.exe
bittorrent.exe
BJMyPrt.exe
CEC_MAIN.exe
chrome.exe
CLCapSvc.exe
CLMLSvc.exe
CLMSServer.exe
CLSched.exe
cmd.exe
COCIManager.exe
CSmileysIM.exe
CTsvcCDA.exe
DellVideoChat.exe
DesktopWeather.exe
DivXUpdate.exe
DVDAgent.exe
DVDLauncher.exe
EasyShare.exe
ehmsas.exe
ehRecvr.exe
ezprint.exe
firefox.exe
FlashUtil10a.exe
FlashUtil10b.exe
FlashUtil10c.exe
FlashUtil10d.exe
FlashUtil10e.exe
FlashUtil10h_ActiveX.exe
FlashUtil10i_ActiveX.exe
FrostWire.exe
gamevance32.exe
GoogleDesktop.exe
GoogleDesktopCrawl.exe
GoogleDesktopDisplay.exe
GoogleDesktopIndex.exe
GoogleToolbarInstaller_updater_signed.exe
GoogleToolbarUser.exe
GoogleUpdater.exe
ICQ Service.exe
IELowutil.exe
IEMonitor.exe
IEUser.exe
iexplore.exe
iPodService.exe
iTunes.exe
iTunesHelper.exe
iviRegMgr.exe
iWinTrusted.exe
java.exe
javaw.exe
KodakSvc.exe
lexbces.exe
LimeWire.exe
LogitechDesktopMessenger.exe
LogitechUpdate.exe
LWS.exe
mcrdsvc.exe
Monitor.exe
MSCamS32.exe
msmsgs.exe
msn.exe
msnmsgr.exe
MySpaceIM.exe
NBService.exe
NkMonitor.exe
NMBgMonitor.exe
NMIndexingService.exe
NMIndexStoreSvr.exe
onenotem.exe
ooVoo.exe
opera.exe
outlook.exe
PCMAgent.exe
pctsAuxs.exe
pctsSvc.exe
PDVDDXSrv.exe
PDVDServ.exe
PhotoshopElementsFileAgent.exe
PictureMover.exe
plugin-container.exe
PMVService.exe
prismxl.sys
qttask.exe
Quickcam.exe
Reader_sl.exe
RealPlay.exe
realsched.exe
regedit.exe
RichVideo.exe
RoxWatch9.exe
rstrui.exe
Safari.exe
SeaPort.exe
SearchProtection.exe
shellmon.exe
SiteRankTray.exe
Skype.exe
SkypeNames.exe
SkypeNames2.exe
skypePM.exe
SmoothView.exe
SoftwareUpdate.exe
sprtsvc.exe
SweetIM.exe
taskmgr.exe
tfswctrl.exe
TNaviSrv.exe
TomTomHOMERunner.exe
TomTomHOMEService.exe
traybar.exe
TVAgent.exe
TWebCamera.exe
TWebCameraSrv.exe
ULCDRSvr.exe
update.exe
uTorrent.exe
ViewMgr.exe
Weather.exe
WebcamDell.exe
WerCon.exe
winamp.exe
winampa.exe
winword.exe
wlcomm.exe
wlidsvc.exe
WLIDSvcM.exe
wmplayer.exe
wzqkpick.exe
YahooAUService.exe
YahooMessenger.exe
YMailAdvisor.exe
ymsgr_tray.exe
YouCam.exe
ZuneLauncher.exe It then displays an imitation of a Microsoft Security Essentials threat report. If the user clicks "Show details" it displays the name of the program it terminated: Note that the process is terminated immediately, meaning the program is effectively blocked from executing, regardless of the action the user takes in response to the rogue's messages. If the user clicks either the "Clean computer" or "Apply actions" button, the rogue then displays the message "Unable to remove threat". as shown below: If the user clicks the "Scan online" button, the rogue displays a webpage which claims to show scan results from many different antivirus scanners. Most of the scanners it lists are legitimate, but only five of the scanners are listed as detecting the "threat". A button labeled "Free Install" is provided for each of these. These five programs are copies of the rogue's fake scanner. Each has a different name and look, but otherwise they are the same program. They are called:

  • Red Cross Antivirus
  • Peak Protection 2010
  • Pest Detector 4.1
  • Major Defense Kit
  • AntiSpy Safeguard
  • All of these fake scanners display an installation wizard when run, as in the following example: They drop a copy as the following: %APPDATA%\antispy.exe The registry is modified to run the dropped copy at each Windows start in place of the default Windows shell "Explorer.exe": In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\WinlogonSets value: "Shell"To data: "%APPDATA%\antispy.exe" After the install wizard has finished, the computer restarts. Payload Terminates processesThe rogue persistently terminates processes as mentioned above. Displays misleading alertsWhen the user logs in, the rogue displays an fake scanner that claims to detect malware on the computer. It does no scanning at all, but reports that some files have been restored and others can't be recovered. Below is an example of a series of messages displayed after installing the "Red Cross Antivirus" version of Win32/FakePAV.

    If the user clicks "Install heuristic module" the rogue displays a page where they can purchase a license for the rogue. Additional InformationBelow are screen shots for different brandings of Win32/FakePAV during Windows start. "AntiSpy Safeguard" "Major Defense Kit" "Pest Detector" "Peak Protection 2010" "Red Cross Antivirus"

    Analysis by Hamish O'Dea

    Last update 30 August 2010

     

    TOP