Back to Newsroom

27 April 2010

Cyber-criminals behind this prolific business do not cease to upgrade their weapons

Trojan.Fakealert.CAW is the latest of its kind. The 1,164 KB package is extremely large for an average piece of malware, but it surely doesn�t want to go unnoticed. After deployment, this rogue AV utility creates its own folder in �%systemdrive%\Documents and Settings\ All Users\Application Data\� and it remains using an 8-digit random string. In this folder, Trojan.Fakealert.CAW creates a copy of itself under the same random name, as well as a batch file which runs the newly created copy with the �install� parameter. Afterwards, both the original and the batch files are deleted.

Upon successfully infecting the system, the malware starts popping up alerts informing the user about the installation of the �Security Tool�, creates shortcuts on the desktop, start-menu and tray icon, and sets itself to automatically start-up by creating a new entry in the registry under the key �HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run� with its file path as value.

Then, it starts its magic: the user is informed that the computer is infected with various types of malware, and he/she needs to purchase the full version of Security Tool to start the cleanup process. In order to make things look worse, different warning messages are displayed.

After a thorough scan, the (rogue) antivirus Security Tool will ask the user to restart, which only continues the damage spree by hiding desktop items and closing almost all applications the user tries to access. More than that, if the user opens an internet browser, firewall alerts will also pop out.

The charade goes on: a screensaver displaying a false �blue-screen� forcing a shut-down, all for the purpose of scaring the user into buying a Rogue AV.

Aside from the Rogue AV component, Trojan.Fakealert.CAW has a spyware feature, which attempts to send information about the infected machine to a remote server.

 Share

 

Contacts