Name:

Trojan.FakeAlert.d

Added:

July 18, 2011

Type:

Trojan

Risk:

Low

Payload:

N/A

At risk systems:

Windows 95/98/ME/XP/NT/2003

Description:

When Trojan.FakeAlert.d is executed, it performs the following activities:

It installs the fake security application, "XP Home Security 2012". Once installed, it will display a show fake alert and that tells the user to purchase the full version.





It will block access to Internet and also disables any genuine antivirus process present.



It drops the folowing file:

%Userprofile%\Local Settings\Application Data\gee.exe

It create\modifies the following registry entries:

2067579972 = "%Userprofile%\Local Settings\Application Data\gee.exe"
HKU\Software\Microsoft\Windows\CurrentVersion\Run

command = ""%Userprofile%\Local Settings\Application Data\gee.exe"
-a "%1" %*"
HKU\Software\Classes\.exe\shell\open

command = ""%Userprofile%\Local Settings\Application Data\gee.exe"
-a "C:\Program Files\Mozilla Firefox\firefox.exe""
HKLM\Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\open

command = ""%Userprofile%\Local Settings\Application Data\gee.exe"
-a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode"
HKLM\Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode

command = ""%Userprofile%\Local Settings\Application Data\gee.exe"
-a "C:\Program Files\Internet Explorer\iexplore.exe""
HKLM\Software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open

FirewallOverride = 0x00000001
AntiVirusOverride = 0x00000001
AntiVirusOverride = 0x00000001
AntiVirusOverride = 0x00000001
UpdatesDisableNotify = 0x00000001
FirewallDisableNotify = 0x00000001
AntiVirusDisableNotify = 0x00000001
HKLM\Software\Microsoft\Security Center