FraudTool.Win32.FakeRean

by Atlantis on April 17th, 2012 in Malware Descriptions.

Detect: FraudTool.Win32.FakeRean
Platform: Win32
Type: Worm
Size: 868864 bytes
Extracted size: ~6266 KB
Language: Delphi
md5: A0E59B1747C0A50731A1D74E3C274198
sha1: 79C242DF2AEAAB26DA26EEB02AC1FEB676E129FD

Summary

This is a Trojan that imitates the work of the antivirus program to obtain a user's fee for detecting and deleting non-existent threads.

Technical Details

Installation

To be automatically launched, the Trojan adds a link to its executable file in the system registry autorun key upon each Windows startup:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "Security Protection" = <path to a malicious file>

Payload

To control the uniqueness of its process in the system, the Trojan creates a unique identifier with the following name:

System Protection_MUTEX

The Trojan creates a registry key. In the key parameters, it stores its service information and settings:

[HKCU\Software\<rnd>]

where <rnd> is a unique user identifier which consists of digits and Latin alphabet letters and is generated based on the user computer data, e.g.: "25AF2AF4A14A11A3A97F709E44CFD916".

A malicious program sends a GET request for the intruder's resource:

updateo***database.com/404.php?id=195

Once launched, the Trojan shows a window where it imitates a system scan and displays scanning results with found non-existent threads:

In addition, firewall notifies about non-existent threads:

 

The following activation dialog box displays:

Upon clicking "Activate Now", the malicious program visits one of the available resources:

secure.artbill3dpayus.com

onlineintersec.com

sysprotection.com

to open a page with the pseudo antivirus costs:

Afterwards, it displays a page where a User is proposed to enter his/her credit card information to purchase a license:

The malicious software periodically displays the following message in the system tray:

The malicious software ends the processes and blocks launching new ones. Thus, it does not allow a user to end processes by him/herself. With that, there is a message in the system tray notifying a user of virus infections detected on PC:

To remove detected threats, the malicious program shows dialog boxes for entering the registration key and email address:

Removal Recommendations

If you have not used any antivirus program to protect your computer from viruses and it gets infected with this malicious program, follow the steps listed below to remove it:

  1. Enter the "Y98REW-T65FD5-U1VBF4A" code to the "Registration key:" field and any email address to the "Registration E-Mail:" field. Afterwards, the Trojan will not block starting the programs.
  2. If the activation key does not match, start Windows in a Safe mode (in the beginning of the startup, press and hold down the F8 key, and then select Safe Mode from the Windows Startup Menu).
  3. Delete the original Trojan file (its file name and location depends on the way the Trojan originally penetrated a user's computer).
  4. Delete the following registry keys (How to Work with System Registry):
  5. [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
     "Security Protection" = <path to a malicious file>

  6. Clean the Temporary Internet Files folder, which contains infected files (How to clean Temporary Internet Files folder):
  7. %Temporary Internet Files%

  8. Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).