Home / malwarePDF  

Trojan:Win32/FakeIA.E


First posted on 16 March 2009.
Source: SecurityHome

Aliases :

Trojan:Win32/FakeIA.E is also known as Also Known As:Win32/FakeAlert.UT (CA), Trojan.FakeAlert.AQE (BitDefender), FakeAlert-AB (McAfee), Trojan.Win32.Inject.lqv (Kaspersky), :Adware/MalwareAlarm (Panda), Troj/FakeVir-IE (Sophos), Troj/FakeAle-KX (Sophos), Trojan.Fakeavalert (Symantec), Downloader.MisleadApp (Symantec).

Explanation :

Special Note:

Reports of Rogue Antivirus programs have been more prevalent as of late. These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software. Some of these programs, such as Trojan:Win32/Antivirusxp and Program:Win32/FakeRednefed may display product names or logos in an apparently unlawful attempt to impersonate Microsoft products. These products may represent themselves as “Antivirus XP”, “AntivirusXP 2008”, “WinDefender 2008”, “XP Antivirus”, or similar. Trojan:Win32/FakeIA.E is a detection for certain DLL and EXE files that are related to rogue security programs that display product names or logos in an apparently unlawful attempt to impersonate Microsoft products.

Symptoms
Symptoms vary among different distributions of Trojan:Win32/FakeIA.E, however, the presence of the following system changes (or similar) may indicate the presence of this program:

  • Presence of the following files, or similar (for example):
    %APPDATA%GoogleGmail .gif
    %APPDATA%GoogleGmaily.gif
    %APPDATA%GoogleGmail
    .gif


    • Trojan:Win32/FakeIA.E is a detection for certain DLL and EXE files that are related to rogue security programs that display product names or logos in an apparently unlawful attempt to impersonate Microsoft products. A DLL file detected as Trojan:Win32/FakeIA.E monitors the system for the following actions:
  • System information is returned/accessed
  • Certain registry entries or keys are read/accessed
  • Certain data is sent/received
    • The file then hijacks HTTP connections so that a connection to the following URLs is made instead:
  • defender-review.com
  • defender2009.com
    • These URLs may automatically install fake security products in the system. The file may also create the following folder and files:
  • %APPDATA%GoogleGmail .gif
  • %APPDATA%GoogleGmaily.gif
  • %APPDATA%GoogleGmail
    .gif
    • The dropped GIF files may resemble the Windows Defender icon. An EXE file detected as Trojan:Win32/FakeIA.E may display a user interface with the title or heading "Security Center Alert".

    Analysis by Dan Kurc

    Last update 16 March 2009

     

    TOP

    Malware :

    Family: