Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/FakeSpyPro

Overview

Threat Risk LOW LOW
Destructivity Unknown UNKNOWN
Payload Downloads arbitrary files, disturb users.
Detection files published
Description created 16 Apr 2010 01:20:00
Description updated 16 Apr 2010 01:20:00
Malware type TROJAN
Alias FakeAlert (McAfee)
Win32/FakeSpypro (Microsoft)
Troj/FakeAV (Sophos)
Win32.FraudPack (Kaspersky)
Spreading mechanism OTHER
UNKNOWN
Summary

W32/FakeSpyPro

Spreading

n/a

Payload Details

W32/FakeSpyPro is a rogue security program that falsely claims that the affected machine is infected with malware and encourages the user to buy a promoted product for cleaning the alleged malware from the computer.
Reports of rogue antivirus programs have been more prevalent as of late. These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software.  Some of these programs may display product names or logos in an apparently unlawful attempt to impersonate legitimate product.
W32/FakeSpyPro may be installed from the program’s web site or by social engineering from third party web sites.
 
When executed, W32/FakeSpyPro copies itself to %windir%\sysguard.exe and sets a registry entry to run itself at each system start:
 
Adds value: "system tool?
With data: "%windir%\sysguard.exe",
To sub key:  HKCU\Software\Microsoft\Windows\CurrentVersion\Run
It drops a DLL component to "\iehelper.dll" and sets the following registry values to load the dropped DLL at Windows start and to register the DLL component as a BHO:
Adds value: "(default)"
With data: “bho?
To subkey: HKLM\SOFTWARE\Classes\CLSID\{C9C42510-9B21-41c1-9DCD-
8382A2D07C61}
 
Adds value: "(default)"
With data: “\iehelper.dll?
To subkey: HKLM\SOFTWARE\Classes\CLSID\{C9C42510-9B21-41C1-9DCD-
8382A2D07C61}\InProcServer32
 
Adds value: "(default)"
With data:  "0?,
Tosubkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9C42510-9B21-41C1-9DCD-8382A2D07C61}
 
It also creates the following registry subkey:
HKEY_CURRENT_USER\Software\AvScan
Displays misleading messages and alerts
When the trojan’s executable—sysguard.exe—runs, it displays the following interface:

(Image not available)

Analysis

n/a

Removal

General information about removal of malicious software: Norman’s antivirus products are in general able to remove all malicious software that is detected. Some malware variants, however, use techniques that the general product does not remove sufficiently. We have therefore developed the free product Lumension Malware Cleaner. Please use the latest version of this program from the link below if your Lumension antivirus is unable to clean the infection. New Lumension Malware Cleaner available in Net: Lumension Malware Cleaner Cleaning of back-up folders on Windows Me and XP 


Last Updated: 12 Nov 2015 11:06:12