Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/FakeAV


Threat Risk LOW LOW
Destructivity Unknown UNKNOWN
Payload Disturb users and try to sell rouge software.
Detection files published
Description created 16 Apr 2010 12:52:00
Description updated 16 Apr 2010 12:52:00
Malware type TROJAN
Alias Win32/Meredrop (Microsoft)
FakeAlert (McAfee)
Trojan.Fakeavalert (Symantec)
Troj/FakeAV (Sophos)
FraudTool.Win32.VirusRemover (Kaspersky Lab)
Spreading mechanism OTHER



W32/FakeAV is a trojan that disguises itself as a legitimate antivirus program and displays various fake pop-up messages warning of infection. It may also download additional malware to the compromised system.
InstallationWhen file is executed, the trojan does the following system changes:
[Changes to file system]
 [Files created]
%Profile%\Start Menu\ Security Tool
%Profile%\Start Menu\ Security Tool \ Security Tool
%Profile%\Application Data\\.exe
[Changes to registry]
Values added-:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "46699135"
Type: REG_SZ
Data: C:\DOCUME~1\ALLUSE~1\APPLIC~1\46699135\46699135.exe
Values deleted-:
HKEY_CURRENT_USER\Control Panel\Desktop "Wallpaper"
Type: REG_SZ
Data: C:\WINDOWS\web\wallpaper\Bliss.bmp
http:// [Removed].com/in.php?affid=00000&url=5&win=Window

Payload Details





General information about removal of malicious software: Norman’s antivirus products are in general able to remove all malicious software that is detected. Some malware variants, however, use techniques that the general product does not remove sufficiently. We have therefore developed the free product Lumension Malware Cleaner. Please use the latest version of this program from the link below if your Lumension antivirus is unable to clean the infection. New Lumension Malware Cleaner available in Net: Lumension Malware Cleaner Cleaning of back-up folders on Windows Me and XP

Last Updated: 12 Nov 2015 11:06:10