The Stubborn Rogue

Trojan.Fakealert.CAWis the latest of its kind. The 1,164 KB package is extremely large for an average piece of malware, but it surely does not want to go unnoticed. After deployment, this rogue AV utility creates its own folder in “%systemdrive%\Documents and Settings\ All Users\Application Data\” and remains it using an 8-digit random string. In this folder, Trojan.Fakealert.CAW creates a copy of itself under the same random name, as well as a batch file which runs the newly created copy with the “install” parameter. Afterwards, both the original and the batch files are deleted.

Upon successfully infecting the system, the malware starts popping up alerts informing the user about the installation of the “Security Tool”, creates shortcuts on the desktop, start-menu and tray icon, sets  itself to automatically start-up by creating a new entry in the registry under the key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” with its file path as value.

It would also start doing its magic: the user is informed that the computer is infected with various types of malware, and he/she needs to purchase the full version of Security Tool to start the cleanup process. In order to make things look worse, different warning messages are displayed.

After a thorough scan, the (rogue) antivirus Security Tool will ask the user to restart, which would only continue the damage spree by hiding desktop items and closing almost all applications the user tries to access. More than that, if the user opens an internet browser, firewall alerts will also be popping out.

The charade goes on: a screensaver displaying a false “blue-screen” forcing a shut-down, all for the purpose of scaring the user into buying a Rogue AV.

Aside from the Rogue AV component, Trojan.Fakealert.CAW has a spyware feature, which attempts to send information about the infected machine to a remote server.

Information in this article is available courtesy of BitDefender virusresearcher George Cabău.