Malware Information

Malware name Trojan.Fakealert.HC Type Trojan Affected platform Win32 Media-Type application/executable MD5 checksum 9D40E58D4B91DF1FDF7AFD3B05DBA6D6 Static file yes Filesize 44,032 Bytes Alias names (also known as) Sophos Troj/FakeVir-GL McAfee Generic FakeAlert.d CA ETrust Win32/FakeAVDl.AY Side effects Drops malicious files Registry modification Propagation Email

Description:

The following files are created:

– %SYSDIR%\brastk.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: Trojan.Dldr.FraudLo.bai

– %SYSDIR%\dllcache\figaro.sys Further investigation pointed out that this file is malware, too. Detected as: 2356

– %SYSDIR%\dllcache\beep.sys Further investigation pointed out that this file is malware, too. Detected as: 2356

– %SYSDIR%\drivers\beep.sys Further investigation pointed out that this file is malware, too. Detected as: 2356

– %WINDIR%\delself.bat This batch file is used to delete a file.

The following registry keys are added in order to run the processes after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• brastk="%SYSDIR%\brastk.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• brastk="%SYSDIR%\brastk.exe"



The following registry key is added:

– [HKLM\SYSTEM\ControlSet001\Control\Session Manager]
• PendingFileRenameOperations=%hex values%


It doesn't have its own spreading routine but it was spammed out via email. The characteristics are described in the following:


From:
The sender address is spoofed.


Subject:
The following:
• New anjelina jolie sex scandal



Body:
The body of the email is the following:
• anjelina jolie porn video, file attached, watch it


Attachment:
The filename of the attachment is:
• angelina_video.zip

The attachment is an archive containing a copy of the malware itself.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.