Home / malwarePDF  

Trojan:Win32/FakeCog


First posted on 07 December 2009.
Source: SecurityHome

Aliases :

Trojan:Win32/FakeCog is also known as Win32/Adware.CoreguardAntivirus (ESET), not-a-virus:FraudTool.Win32.CoreGuard2009 (Kaspersky), FakeAlert-FQ (McAfee), W32/Renos.FIP (Norman), Mal/TDSSPack-L (Sophos), CoreGuardAntivirus2009 (Symantec), Fraudtool.CoreGuard2009.A (VirusBuster), CoreGuard Antivirus 2009 (other).

Explanation :

Trojan:Win32/FakeCog is a fake security program that displays false infections in the system to prompt the user into buying it.
Top

Trojan:Win32/FakeCog is a fake security program that displays false infections in the system to prompt the user into buying it. InstallationUpon execution, Trojan:Win32/FakeCog may create a registry subkey and its associated entries, for example: Adds value: "Settings_0"
With data: "dword:00000000"
Adds value: "SecStatus_3"
With data: "dword:00000001"
Adds value: "SecStatus_4"
With data: "dword:00000001"
Adds value: "SecStatus_5"
With data: "dword:00000001"
Adds value: "FD"
With data: "dword:00000000"
Adds value: "GUID"
With data: "455366164553576845534928"
Adds value: "Data"
With data: ":1830:2040:2145:2250:2355:2460:2670:2775:2880:"
Adds value: "swver"
With data: "1.0"
Adds value: "dbver"
With data: "1.0"
Adds value: "dbsigns"
With data: "61473"
Adds value: "InfectedFiles"
With data: "C:\WINDOWS\System32\olecli.dll,C:\WINDOWS\System32\scrrun.dll,C:\WINDOWS\System32\stclient.dll,C:\WINDOWS\System32\url.dll,C:\WINDOWS\System32\winhttp.dll,C:\WINDOWS\System32\oobe\dtsgnup.htm,C:\WINDOWS\System32\Drivers\cdaudio.sys,C:\WINDOWS\System32\Drivers\sonydcam.sys,C:\Program Files\outlook Express\wab.exe,"
Adds value: "Infected"
With data: "dword:00000009"
To subkey: HKLM\SOFTWARE\AntiMalware Payload Displays false security alertsTrojan:Win32/FakeCog displays false security alerts on the system to prompt the user into purchasing its registered version. When run, it may display the following interface: If the user clicks on the 'Activate your copy' button, he or she may see the following: Note that the logos on the lower right hand corner are there to mislead the user into thinking that the transaction is secure and legitimate. None of these companies are actually affiliated with this program.

Analysis by Francis Allan Tan Seng

Last update 07 December 2009

 

TOP

Malware :