Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Fakealert.raa
Date discovered:16/07/2010
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:No
File size:296.888 Bytes
VDF version:7.10.04.18
IVDF version:7.10.09.105 - Friday, July 16, 2010

 General Method of propagation:
   • No own spreading routine


Platforms / OS:
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Drops a file
   • Falsley reports malware infection or system problems and offers to fix them if the user buys the application.
   • Lowers security settings
   • Registry modification


Right after execution the following information is displayed:



 Files  It copies itself to the following location. This file has random bytes appended or changed so it may differ from the original one:
   • %ALLUSERSPROFILE%\Application Data\%random character string%\%random character string%.exe



It deletes the initially executed copy of itself.



The following file is created:

– Non malicious file:
   • %ALLUSERSPROFILE%\Application Data\%random character
      string%
\%random character string%

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
   • "eDfOdPn08503"="%ALLUSERSPROFILE%
   • \Application Data\%random character string%\%random character string%.exe"



The following registry keys are changed:

Lower security settings from Internet Explorer:

– [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
   New value:
   • "MigrateProxy"=dword:00000001
   • "ProxyEnable"=dword:00000000
   • "ProxyServer"=-
   • "ProxyOverride"=-
   • "AutoConfigURL"=-

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   ZoneMap]
   New value:
   • "ProxyBypass"=dword:00000001
   • "IntranetName"=dword:00000001
   • "UNCAsIntranet"=dword:00000001

– [HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\
   Internet Settings]
   New value:
   • "ProxyEnable"=dword:00000000

 Miscellaneous Accesses internet resources:
   • http://89.187.53.**********/lurl.php?affid=08503
   • http://89.187.53.**********/install.php?affid=08503

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packers:
   • PolyEnE
   • NsPack

Description inserted by Alexander Bauer on Thursday, February 24, 2011
Description updated by Alexander Bauer on Thursday, February 24, 2011

Back . . . .