SecurityHome.eu Win32/FakeRean

Home / malware PDF

Win32/FakeRean

First posted on 13 January 2012.
Source: Microsoft
Aliases :
Win32/FakeRean is also known as XP Home Security (other), Vista Home Security (other), Win 7 Home Security (other), XP Guard (other), Vista Guard (other), Win 7 Guard (other), XP Anti-Virus 2011 (other), Vista Anti-Virus 2011 (other), Win 7 Anti-Virus 2011 (other), XP Anti-Spyware 2011 (other), Vista Anti-Spyware 2011 (other), Win 7 Anti-Spyware 2011 (other), XP Anti-Spyware (other), Vista Anti-Spyware (other), Win 7 Anti-Spyware (other), Win 7 Home Security 2012 (other), Vista Home Security 2012 (other), XP Home Security 2012 (other), Win 7 Total Security 2012 (other), Vista Total Security 2012 (other), XP Total Security 2012 (other), Antispyware Vista (other), Antispyware Win 7 (other), Antispyware XP (other), AntiSpyware XP 2009 (other), Antivirus Pro 2010 (other), AntiVirus Studio 2010 (other), Antivirus Vista (other), Antivirus Vista 2010 (other), Antivirus Win 7 (other), Antivirus Win 7 2010 (other), Antivirus XP (other), Antivirus XP 2010 (other), Desktop Defender 2010 (other), Desktop Security 2010 (other), Home Antivirus 2010 (other), PC Antispyware 2010 (other), PC Security 2009 (other), Security Central (other), Security Solution 2011 (other), Smart Security 2010 (other), Total PC Defender (other), Total PC Defender 2010 (other), Total Vista Security (other), Total Win 7 Security (other), Total XP Security (other), Vista AntiMalware (other), Vista AntiMalware 2010 (other), Vista Antispyware 2010 (other), Vista Antivirus (other), Vista Antivirus 2010 (other), Vista Antivirus Pro (other), Vista Antivirus Pro 2010 (other), Vista Defender (other), Vista Defender 2010 (other), Vista Defender Pro (other), Vista Guardian (other), Vista Guardian 2010 (other), Vista Internet Security (other), Vista Internet Security 2010 (other), Vista Security (other), Vista Security Tool (other), Vista Security Tool 2010 (other), Vista Smart Security (other), Vista Smart Security 2010 (other), Win 7 AntiMalware (other), Win 7 AntiMalware 2010 (other), Win 7 Antispyware 2010 (other), Win 7 Antivirus (other), Win 7 Antivirus 2010 (other), Win 7 Antivirus Pro (other), Win 7 Antivirus Pro 2010 (other), Win 7 Defender (other), Win 7 Defender 2010 (other), Win 7 Defender Pro (other), Win 7 Guardian (other), Win 7 Guardian 2010 (other), Win 7 Internet Security (other), Win 7 Internet Security 2010 (other), Win 7 Security (other), Win 7 Security Tool (other), Win 7 Security Tool 2010 (other), Win 7 Smart Security (other), Win 7 Smart Security 2010 (other), XP AntiMalware (other), XP AntiMalware 2010 (other), XP AntiSpyware 2009 (other), XP Antispyware 2010 (other), XP Antivirus 2010 (other), XP Antivirus Pro (other), XP Antivirus Pro 2010 (other), XP Defender (other), XP Defender 2010 (other), XP Defender Pro (other), XP Guardian (other), XP Guardian 2010 (other), XP Internet Security (other), XP Internet Security 2010 (other), XP Police Antivirus (other), XP Security (other), XP Security Center (other), XP Security Tool (other), XP Security Tool 2010 (other), XP Security Tool 2010 (other), XP Smart Security (other), XP Smart Security 2010 (other), Win 7 Security Center (other), XP Defender Pro 2010 (other), Trojan:Win32/FakeRean (Microsoft), Win32/FakeRean (Microsoft), Spyware Protection (other), Vista Antispyware 2011 (other), Vista Antivirus 2011 (other), Vista Home Security 2011 (other), Vista Security 2011 (other), Vista Total Security 2011 (other), Win 7 Home Security 2011 (other), Win 7 Total Security 2011 (other), XP Antispyware 2011 (other), XP Antivirus 2011 (other), XP Home Security 2011 (other), XP Security 2011 (other), XP Total Security 2011 (other), Vista Anti-Spyware (other), Vista Anti-Spyware 2011 (other), Vista Anti-Virus 2011 (other), Vista Home Security (other), Vista Internet Security 2011 (other), Vista Total Security (other), Win 7 Anti-Spyware (other), Win 7 Anti-Spyware 2011 (other), Win 7 Anti-Virus 2011 (other), Win 7 Home Security (other), Win 7 Internet Security 2011 (other), Win 7 Security 2011 (other), Win 7 Total Security (other), XP Anti-Spyware (other), XP Anti-Spyware 2011 (other), XP Anti-Virus 2011 (other), XP Home Security (other), XP Home Security 2012 (other), XP Total Security (other), XP Internet Security 2011 (other), Vista Antispyware 2012 (other), Vista Antivirus 2012 (other), Vista Home Security 2012 (other), Vista Internet Security 2012 (other), Vista Security 2012 (other), Win 7 Antispyware 2012 (other), Win 7 Antivirus 2012 (other), Win 7 Home Security 2012 (other), Win 7 Internet Security 2012 (other), Win 7 Security 2012 (other), XP Antispyware 2012 (other), XP Antivirus 2012 (other), XP Internet Security 2012 (other), XP Security 2012 (other), Security Protection (other), Privacy Protection (other) more.
Explanation :
Win32/FakeRean is a family of programs that claim to scan for malware and display fake warnings of malicious files. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats.

Special Note:

Reports of Rogue Antivirus programs have been more prevalent as of late. These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software. Some of these programs may display product names or logos in an apparently unlawful attempt to impersonate Microsoft products. To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products will detect and remove this threat:

Microsoft Security Essentials

Windows Defender

Microsoft Safety Scanner

Microsoft Windows Malicious Software Removal Tool

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Top

Win32/FakeRean is a family of programs that claim to scan for malware and display fake warnings of malicious files. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats.

Win32/FakeRean has been distributed with several different names. The user interface and some other details vary to reflect each variant's individual branding. Current variants of FakeRean choose a name at random, from a number of possibilities determined by the operating system of the affected system. Please see below for all the possible combinations that may be used to brand the interface and associated content, including websites, etc. in recent variants:

Platform: Windows 7 Platform: Windows Vista Platform: Windows XP Win 7 Internet Security 2010 Vista Internet Security 2010 XP Internet Security 2010 Win 7 Internet Security Vista Internet Security XP Internet Security Win 7 Antivirus Pro 2010 Vista Antivirus Pro 2010 XP Antivirus Pro 2010 Win 7 Antivirus Pro Vista Antivirus Pro XP Antivirus Pro Win 7 Antivirus 2010 Vista Antivirus 2010 XP Antivirus 2010 Win 7 Antivirus Vista Antivirus XP Antivirus Win 7 Defender 2010 Vista Defender 2010 XP Defender 2010 Win 7 Guardian Vista Guardian XP Guardian Win 7 Guardian 2010 Vista Guardian 2010 XP Guardian 2010 Antivirus Win 7 2010 Antivirus Vista 2010 Antivirus XP 2010 Win 7 Antispyware 2010 Vista Antispyware 2010 XP Antispyware 2010 Win 7 Defender Vista Defender XP Defender Win 7 Defender Pro Vista Defender Pro XP Defender Pro Win 7 Smart Security Vista Smart Security XP Smart Security Win 7 Smart Security 2010 Vista Smart Security 2010 XP Smart Security 2010 Win 7 Security Tool Vista Security Tool XP Security Tool Win 7 Security Tool 2010 Vista Security Tool 2010 XP Security Tool 2010 Win 7 AntiMalware Vista AntiMalware XP AntiMalware Win 7 AntiMalware 2010 Vista AntiMalware 2010 XP AntiMalware 2010 Win 7 Internet Security Vista Internet Security XP Internet Security Antivirus Win 7 Antivirus Vista Antivirus XP Antispyware Win 7 Antispyware Vista Antispyware XP Total Win 7 Security Total Vista Security Total XP Security Win 7 Security Vista Security XP Security Win 7 Security Center XP Defender Pro 2010 Installation

Win32/FakeRean installers download several archives in either ZIP or CAB format from a remote location via HTTP. For example:

Binaries1.cab

Binaries2.cab

Binaries3.cab

The installer then extracts these files into a directory it creates under %program files%.

The installer may display a window before it begins downloading, for example:

While downloading, the installer may display a window like the following:

Different variants of Win32/FakeRean use different names and branding. The directories and file names used depend on the branding used by each variant. For example, these files are installed by the variant that calls itself "XP Antispyware 2009":

%Program Files%\XP_AntiSpyware\AVEngn.dll
%Program Files%\XP_AntiSpyware\htmlayout.dll
%Program Files%\XP_AntiSpyware\pthreadVC2.dll
%Program Files%\XP_AntiSpyware\Uninstall.exe
%Program Files%\XP_AntiSpyware\wscui.cpl
%Program Files%\XP_AntiSpyware\XP_Antispyware.cfg
%Program Files%\XP_AntiSpyware\XP_AntiSpyware.exe
%Program Files%\XP_AntiSpyware\data\daily.cvd
%Program Files%\XP_AntiSpyware\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
%Program Files%\XP_AntiSpyware\Microsoft.VC80.CRT\msvcm80.dll
%Program Files%\XP_AntiSpyware\Microsoft.VC80.CRT\msvcp80.dll
%Program Files%\XP_AntiSpyware\Microsoft.VC80.CRT\msvcr80.dll

In another example, these files are installed by the variant that calls itself "AntispywareXP 2009":

%Program Files%\AntiSpywareXP2009\AVEngn.dll
%Program Files%\AntiSpywareXP2009\htmlayout.dll
%Program Files%\AntiSpywareXP2009\pthreadVC2.dll
%Program Files%\AntiSpywareXP2009\Uninstall.exe
%Program Files%\AntiSpywareXP2009\wscui.cpl
%Program Files%\AntiSpywareXP2009\AntiSpywareXP2009.cfg
%Program Files%\AntiSpywareXP2009\AntiSpywareXP2009.exe
%Program Files%\AntiSpywareXP2009\data\daily.cvd
%Program Files%\AntiSpywareXP2009\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
%Program Files%\AntiSpywareXP2009\Microsoft.VC80.CRT\msvcm80.dll
%Program Files%\AntiSpywareXP2009\Microsoft.VC80.CRT\msvcp80.dll
%Program Files%\AntiSpywareXP2009\Microsoft.VC80.CRT\msvcr80.dll

Win32/FakeRean also adds shortcuts to the current user's Start menu, desktop and quick launch bar, for example:

%Start menu%\Programs\XP_AntiSpyware\XP_AntiSpyware.lnk

%Start menu%\Programs\XP_AntiSpyware\Uninstall.lnk

%Desktop%\XP_AntiSpyware.lnk

%APPDATA%\Microsoft\Internet Explorer\Quick Launch\XP_AntiSpyware.lnk

or

%Start menu%\Programs\AntiSpywareXP2009\AntiSpywareXP2009.lnk

%Start menu%\Programs\AntiSpywareXP2009\Uninstall.lnk

%Desktop%\AntiSpywareXP2009.lnk

%APPDATA%\Microsoft\Internet Explorer\Quick Launch\AntiSpywareXP2009.lnk

Example desktop icon:

Win32/FakeRean may also modify the registry in order to ensure that it runs whenever the user's Internet browser is launched from the Start menu.

Adds value: (Default)
With data:"<malware file name>" /START <location of browser>
To subkey: HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command

For example:

Adds value: (Default)
With data: "C:\Documents and Settings\Administrator\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
To subkey: HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command

Payload

Displays Fake Alerts, and Fake Scanning Results

Win32/FakeRean adds a registry entry to launch its fake scanner automatically each time Windows starts. For example:
Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Value: XP Antispyware 2009
Data: ""%Program Files%\XP_AntiSpyware\XP_AntiSpyware.exe" /hide"

or

Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Value: AntiSpywareXP 2009
Data: ""%Program Files%\AntiSpywareXP2009\AntiSpywareXP2009.exe" /hide"

The fake scanner GUI may look like this, for example:

or this:

When a "scan" is completed, it displays a message like this:

or this:

Periodically it may display fake warning pop-ups from its system tray icon, for example:

Win32/FakeRean also installs a control panel applet which imitates the Windows security center:

<system folder>\_scui.cpl

For example:

Clicking any of the buttons or links in this window merely opens the default browser and opens a page to buy the fake product online.

Modifies system security settings

In order to prevent the real Windows security center from being displayed in the control panel, Win32/FakeRean sets these registry entries:

Key: HKCU\Control Panel\don't load
Value: scui.cpl
Data: "No"
Value: wscui.cpl
Data: "No"

Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value: ForceClassicControlPanel
Data: 0x1

It also sets registry entries to stop notifications from the real security center:

Key: HKLM\SOFTWARE\Microsoft\Security Center
Value: AntiVirusDisableNotify
Data: 0x1
Value: FirewallDisableNotify
Data: 0x1
Value: UpdatesDisableNotify
Data: 0x1

Win32/FakeRean may also add an uninstall entry, for example:

Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XP_AntiSpyware\
Value: DisplayName
Data: "XP Antispyware 2009"
Value: UninstallString
Data: "%Program Files%\XP_AntiSpyware\Uninstall.exe"

or

Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiSpywareXP2009
Value: DisplayName
Data: "AntiSpywareXP 2009"
Value: UninstallString
Data: "%Program Files%\AntiSpywareXP2009\Uninstall.exe"

This usually does not uninstall the trojan; however, the shortcut added to the start menu ("Uninstall.lnk") may remove most of the program. The fake security center control panel applet (_scui.cpl) is left behind.

While Win32/FakeRean pretends to scan the machine, it may create files with randomly generated files names, which it fills with random "junk" bytes. These are the files it reports as threats, presumably to make its claims seem more plausible.

Modifies system settings

Recent variants of Win32/FakeRean make a number of changes to the registry in order to ensure that FakeRean's executable is executed every time a file with an '.exe' file extension is run. Win32/FakeRean may make the following registry modifications for this purpose:

To subkey: HKCU\Software\Classes\.exe
Sets value: "(Default)"
With data: "secfile"

To subkey: HKCU\Software\Classes\.exe
Sets value: "Content Type"
With data: "application/x-msdownload"

To subkey: HKCU\Software\Classes\.exe\DefaultIcon
Sets value: "(Default)"
With data: "%1"

To subkey: HKCU\Software\Classes\.exe\shell\open\command
Sets value: "(Default)"
With data:"C:\Documents and Settings\Administrator\Local Settings\Application Data\av.exe" /START "%1" %*"

To subkey: HKCU\Software\Classes\.exe\shell\open\command
Sets value: "(Default)"
With data: "C:\Documents and Settings\Administrator\Local Settings\Application Data\av.exe" /START "%1" %*"

To subkey: HKCU\Software\Classes\.exe\shell\open\command
Sets value: "IsolatedCommand"
With data: ""%1" %*"

To subkey: HKCU\Software\Classes\.exe\shell\runas\command
Sets value: "(Default)"
With data: ""%1" %*"

To subkey: HKCU\Software\Classes\.exe\shell\runas\command
Sets value: "IsolatedCommand"
With data: ""%1" %*"

To subkey: HKCU\Software\Classes\.exe\shell\start\command
Sets value:"(Default)"
With data: ""%1" %*"

To subkey: HKCU\Software\Classes\.exe\shell\start\command
Sets value: "IsolatedCommand"
With data:""%1" %*"

To subkey: HKCU\Software\Classes\secfile
Sets value: "(Default)"
With data: "Application"

To subkey: HKCU\Software\Classes\secfile
Sets value: "Content Type"
With data: "application/x-msdownload"

To subkey: HKCU\Software\Classes\secfile\DefaultIcon
Sets value: "(Default)"
With data: "%1"

To subkey: HKCU\Software\Classes\secfile\shell\open\command
Sets value: "(Default)"
With data: ""C:\Documents and Settings\Administrator\Local Settings\Application Data\av.exe" /START "%1" %*"

To subkey: HKCU\Software\Classes\secfile\shell\open\command
Sets value: "IsolatedCommand"
With data: ""%1" %*"

To subkey: HKCU\Software\Classes\secfile\shell\runas\command
Sets value: "(Default)"
With data: ""%1" %*"

To subkey: HKCU\Software\Classes\secfile\shell\runas\command
Sets value: "IsolatedCommand"
With data: ""%1" %*"

To subkey: HKCU\Software\Classes\secfile\shell\start\command
Sets value: "(Default)"
With data: ""%1" %*"

To subkey: HKCU\Software\Classes\secfile\shell\start\command
Sets value: "IsolatedCommand"
With data: '"%1" %*"

Additional information

FakeRean may set a registry entry containing the date it was installed, for example:
Key: HKLM\Software\XP_Antispyware
Value: info
Data: "10/21/2008"

Analysis by Hamish O'Dea

Last update 13 January 2012

TOP

Malware :

Last 20