Home / malware Win32/Fakeinit
First posted on 26 April 2010.
Source: SecurityHomeAliases :
Win32/Fakeinit is also known as Trojan.FakeAlert.AUW (BitDefender), Win32/FakeAV.ABR (CA), Fraudtool.XPAntivirus.BCVY (VirusBuster), Adware/AntivirusXPPro (Panda), AntiVirus2008 (Symantec), Advanced Virus Remover (other), Win32/AdvancedVirusRemover.G (CA), Internet Security 2010 (other), FakeAlert-KS.a (McAfee), W32/FakeAlert.BRQF (Norman), Trojan.Fakealert.12876 (Dr.Web), Win32/TrojanDownloader.FakeAlert.AED (ESET), Trojan-Downloader.Win32.Fakeinit (Ikarus), FakeAlert!eh (McAfee), Mal/FakeAV-BW (Sophos), Trojan.FakeAV!gen18 (Symantec), TROJ_FAKEAL.SMDP (Trend Micro), Security Essentials 2010 (other), Antivirus XP Pro (other) more.
Explanation :
Win32/Fakeinit is a family of trojans that display fake warnings of €œmalicious programs and viruses€, and inform the user that they need to pay money to register the software to remove these non-existent threats. A trojan within this family consists of a downloader component and a fake scanner component. The downloader terminates certain processes, lowers security settings, changes the desktop background, and attempts to download other malware such as Trojan:Win32/Alureon.CT. It also has a Layered Service Provider component that blocks access to webpages from certain domains. At the time of publication, it had been observed to use names such as €œInternet Security 2010€ and €œSecurity Essentials 2010€. Note: Reports of Rogue Antivirus programs have been more prevalent as of late. These are programs that generate misleading alerts and false detections to convince users to purchase illegitimate security software. Some of these programs may display product names or logos in an apparently unlawful attempt to impersonate Microsoft products. Use Microsoft Security Essentials, Microsoft Windows Defender, the Windows Live safety scanner (http://onecare.live.com/site/en-us/default.htm), or another up-to-date scanning and removal tool to detect and remove these threats and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/security/antivirus/av.aspx.
Top
Win32/Fakeinit is a family of trojans that display fake warnings of €œmalicious programs and viruses€, and inform the user that they need to pay money to register the software in order to remove these non-existent threats. A trojan within this family consists of a downloader component and a fake scanner component. The downloader terminates certain processes, lowers security settings, changes the desktop background, and attempts to download other malware such as Trojan:Win32/Alureon.CT. It also has a Layered Service Provider component that blocks access to webpages from certain domains. Members of the Win32/Fakeinit family use various installation methods, with filenames and system modifications that can differ from one variant to the next. Trojan:Win32/Fakeinit has been distributed with different names. The user interface and some other details vary to reflect each variant€™s individual branding. At the time of publication, it had been observed to use names such as "Internet Security 2010" and "Security Essentials 2010". InstallationWin32/Fakeinit€™s downloader component, detected as TrojanDownloader:Win32/Fakeinit copies itself to <system folder>\smss32.exe and <system folder>\winlogon32.exe. It also creates files at <system folder>\warnings.html and %userappdata%\Microsoft\Internet Explorer\Desktop.htt. These two files may be detected as Trojan:HTML/Fakeinit. It makes the following registry changes to ensure that it is run upon system startup: Under key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adds value: "smss32.exe" With data: "<system folder>\smss32.exe" Under key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adds value: "smss32.exe" With data: "<system folder>\smss32.exe" Under key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Sets value: Userinit With data: "<system folder>\winlogon32.exe" When run, the fake scanner component, detected as Trojan:Win32/Fakeinit, copies itself to a subfolder of the %ProgramFiles% folder. For example, the variant calling itself €œSecurity Essentials 2010€ copies itself to %ProgramFiles%\Securityessentials2010\SE2010.exe, whilst €œInternet Security 2010€ copies itself to %ProgramFiles%\internetsecurity2010\is2010.exe. It creates a registry entry to ensure that it is run upon system startup €“ for example: Under key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adds value: "Security essentials 2010" With data: "%ProgramFiles%\Securityessentials2010\SE2010.exe" Or Under key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adds value: "Internet Security 2010" With data: "%ProgramFiles%\internetsecurity2010\is2010.exe" It also creates a desktop shortcut and adds itself to the Start Menu, as can be seen in the examples below: A Layered Service Provider component may also be installed by TrojanDownloader:Win32/Fakeinit, which copies it to <system folder>\helpers32.dll before registering the DLL. This component is also detected as Trojan:Win32/Fakeinit.
Payload
Displays misleading message/alertsThe downloader component periodically displays messages suggesting that the system is infected and that the user should download tools to remove the problem. These messages may be in the form of message boxes or system tray balloons. The desktop background is also changed to display the following message: It does so using the Desktop.htt and warnings.html files dropped earlier, and by making a number of registry changes. It makes further changes to the registry to prevent the user from changing this background. For more details of these changes, please see the TrojanDownloader:Win32/Fakeinit description. Downloads and executes arbitrary files The malware contacts one or more servers from which it may download a number of files. Servers used at the time of publication included for-sunny-se.com and winter-smile.com. It saves the downloaded files to locations such as the following: <system folder>\helpers32.dll <system folder>\ES15.exe <system folder>\41.exe At the time of publication, the malware downloaded two components of the fake security software, which were detected as Trojan:Win32/Fakeinit, and a variant of Win32/Alureon, detected as Trojan:Win32/Alureon.CT. It then registers the DLL, which acts as a Layered Service Provider that may block access to certain Web sites. For more details please see below. Should the user click on the warnings displayed above, it will copy the downloaded Fakeinit component to <system folder>\<5 digit random number>.exe and launch it to install the fake security software. This has been observed to use names such as €œInternet Security 2010€ and €œSecurity Essentials 2010.€ Terminates processes The malware monitors running processes and terminates any process from a specified list, displaying the following message box in an attempt to convince the user that their system is infected: For an examples of such a list, please see the TrojanDownloader:Win32/Fakeinit description.
Disables Task Manager and Phishing Filter, and lowers security settings
The malware attempts to disable Internet Explorer€™s phishing filter by making the following registry changes:
Under key: HKCU\Software\Microsoft\Internet Explorer\PhishingFilter
Sets value: "Enabled"
With data: 0
Sets value: "EnabledV8"
With data: 0 Under key: HKLM\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter
Sets value: "EnabledV8"
With data: 0 It attempts to disable Task Manager with the following change: Under key: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableTaskMgr"
With data: 1 It attempts to place sites used by the particular variant of Win32/Fakeinit into the Trusted Sites Zone by making a number of additional changes, such as those displayed in the following example: Under key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-security-essentials.com
Sets value: "http"
With data: 2 For further examples, please see the TrojanDownloader:Win32/Fakeinit description. Displays fake antivirus scanner The scanner component falsely reports a number of threats on the system. It also periodically displays a number of other dialog boxes and system tray balloons which attempt to convince the user to pay money to register the software: If the user clicks the Activate button, a browser window opens, which displays a Web site from which the user can pay to activate the program. A Web site it is currently known to open is "buy-security-essentials.com". Blocks access to certain Web sitesThe DLL component of Trojan:Win32/Fakeinit is a Layered Service Provider (LSP) that monitors traffic used by applications with the following file names: chrome.exe
csrss.exe
firefox.exe
flock.exe
iexplore.exe
opera.exe
safari.exe
svchost.exe If the traffic is to a domain from a defined list, it may block access to the site, instead displaying the following image:
For examples of sites blocked by Win32/Fakeinit, please see the Trojan:Win32/Fakeinit description.
Analysis by David WoodLast update 26 April 2010