Virus:TR/Fakealert.HC
Date discovered:16/10/2008
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:44.032 Bytes
MD5 checksum:9d40e58d4b91df1fdf7afd3b05dba6d6
IVDF version:7.00.07.47 - Thursday, October 16, 2008

 General Method of propagation:
   • Email


Aliases:
   •  Symantec: Trojan.Virantix.C
   •  Kaspersky: Backdoor.Win32.UltimateDefender.tt
   •  F-Secure: Trojan-Downloader:W32/FakeAlert.BG
   •  Sophos: Troj/FakeVir-GL
   •  Panda: Adware/XPAntiSpyware2009
   •  Grisoft: Downloader.Zlob.AEVS
   •  VirusBuster: Trojan.Renos.AUI
   •  Eset: Win32/TrojanDownloader.FakeAlert.MN trojan
   •  Bitdefender: Packer.Malware.Lighty.I


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Registry modification

 Files The following files are created:

%SYSDIR%\brastk.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Dldr.FraudLo.bai

%SYSDIR%\dllcache\figaro.sys Further investigation pointed out that this file is malware, too. Detected as: TR/Rootkit.Gen

%SYSDIR%\dllcache\beep.sys Further investigation pointed out that this file is malware, too. Detected as: TR/Rootkit.Gen

%SYSDIR%\drivers\beep.sys Further investigation pointed out that this file is malware, too. Detected as: TR/Rootkit.Gen

%WINDIR%\delself.bat This batch file is used to delete a file.

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • brastk="%SYSDIR%\brastk.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • brastk="%SYSDIR%\brastk.exe"



The following registry key is added:

– [HKLM\SYSTEM\ControlSet001\Control\Session Manager]
   • PendingFileRenameOperations=%hex values%

 Email It doesn't have its own spreading routine but it was spammed out via email. The characteristics are described in the following:


From:
The sender address is spoofed.


Subject:
The following:
   • New anjelina jolie sex scandal



Body:
The body of the email is the following:
   • anjelina jolie porn video, file attached, watch it


Attachment:
The filename of the attachment is:
   • angelina_video.zip

The attachment is an archive containing a copy of the malware itself.

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Thomas Wegele on Wednesday, October 22, 2008
Description updated by Thomas Wegele on Wednesday, October 22, 2008

Back . . . .