Trojan.Win32.FakeAV.eya

Technical Details

This Trojan simulates an anti-virus program in order to obtain remuneration from the user for the detection and deletion of false threats. It is a Windows application (PE EXE file). It is 1 134 592 bytes in size. It is written in C++.


Installation


Once launched, the Trojan moves its body into the following file:

%USERPROFILE%\Local Settings\Application Data\<rnd>.exe

where <rnd> is a random six-digit decimal number.


To ensure that the copy created is launched automatically each time the system is rebooted, the following system registry keys are created:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"<rnd>" = ""%USERPROFILE%\Local Settings\Application Data\<rnd>.exe" 0 47"
[HKU\S-1-5-21-606747145-1060284298-839522115-1003 \Software\Microsoft\Windows\CurrentVersion\RunOnce] "<rnd>" = ""%USERPROFILE%\Local Settings\Application Data\ <rnd>.exe" 0 47"

The Trojan then displays the following message:



The Trojan then launches a previously created copy for execution and ceases running.

Payload

Once launched, the Trojan performs the following actions:

  • It modifies the following system registry key values:
    [HKLM\System\CurrentControlSet\Hardware Profiles\0001
    \Software\Microsoft\windows\CurrentVersion\Internet Settings]
    "ProxyEnable" = "0"
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings] "MigrateProxy" = "1" "ProxyEnable" = "0"

  • It deletes the following registry key:
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    "ProxyServer"
    "ProxyOverride"
    "AutoConfigURL"
    

    This modifies Internet Explorer's proxy server settings.
  • The Trojan simulates a computer file system scan and displays information about false threats. It also displays a message stating that program updates are available:



  • When a false scan has been completed, a click on the "Remove" button opens the program activation window:



  • When the user clicks on "Activate Security Tool", the license purchase window opens:



    This new window opens over the top of other windows and takes up the entire working area of the screen. The Trojan intercepts the input focus and places it in this window.
  • When the user attempts to launch the Task Manager, Registry Editor or the system command interpreter, those system utilities' processes cease running and the Trojan displays the following messages:



  • As part of its operations, the Trojan displays the following messages in the notification area:


  • This Trojan can update itself by connecting to the server:
    77.***.124
    

    Removal Instructions

    If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

    1. Reboot the computer in Safe Mode (at the start of the boot sequence, press and hold F8, then choose Safe Mode from the Windows boot menu).
    2. Delete the following file:
      %USERPROFILE%\Local Settings\Application Data\<rnd>.exe 

    3. Delete the following system registry keys (see What is a system registry and how do I use it?):
      [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
      "<rnd>" = ""%USERPROFILE%\Local Settings\Application Data\<rnd>.exe" 0 47"
      [HKU\S-1-5-21-606747145-1060284298-839522115-1003\Software\Microsoft\Windows\CurrentVersion\RunOnce] "<rnd>" = ""%USERPROFILE%\Local Settings\Application Data\<rnd>.exe" 0 47"

    4. Restore the original system registry key values (see What is a system registry and how do I use it?):
      [HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
      "ProxyEnable"
      [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings] "MigrateProxy" "ProxyEnable"
      [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings] "ProxyServer" "ProxyOverride" "AutoConfigURL"

    5. Empty the Temporary Internet Files directory, which may contain infected files (see How to delete infected files from Temporary Internet Files folder?).
    6. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).


    MD5: 1557EF468DBDA9E0A917571CFCDFD2CF
    SHA1: FC1598BBE28EA47C1B361EAD8AF3CCD395298866