TROJ_FAKEAV.MSRT

This Trojan may be downloaded by other malware/grayware/spyware from remote sites. It may be unknowingly downloaded by a user while visiting malicious websites.

It installs a fake antivirus/antispyware software. It displays fake alerts that warn users of infection. It also displays fake scanning results of the affected system. It then asks for users to purchase it once scanning is completed. If users decide to purchase the rogue product, users are directed to a certain website asking for sensitive information, such as credit card numbers.

Arrival Details

This Trojan may be downloaded by other malware/grayware/spyware from remote sites.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This Trojan drops a copy of itself in the following folders using different file names:

• %User Profile%\mrtw.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
mrtw = "%User Profile%\mrtw.exe"

(Note: The default value data of the said registry entry is .)

Other System Modifications

This Trojan adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusDisableNotify = "1"

(Note: The default value data of the said registry entry is .)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallDisableNotify = "1"

(Note: The default value data of the said registry entry is .)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UpdatesDisableNotify = "1"

(Note: The default value data of the said registry entry is .)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\ Policies\
Associations
LowRiskFileTypes = ".exe;"

(Note: The default value data of the said registry entry is .)

Other Details

Based on analysis of the codes, it has the following capabilities:

• The fake scanning redirects to a payment page where users are asked to pay $99.90 for the rogue software, Shield EC Antivirus.
• Shows prompts of malware infection if users ignore the recommendation.
• Adds a registry entry to associate ".EXE" files as low risk and will not prompt any warning when opened

Rogue Antivirus Routine

This Trojan installs a fake antivirus/antispyware software.

It displays fake alerts that warn users of infection. It also displays fake scanning results of the affected system. It then asks for users to purchase it once scanning is completed. If users decide to purchase the rogue product, users are directed to a certain website asking for sensitive information, such as credit card numbers.