Continued from our last post — Virus Encyclopedia vol.3M
In this version of virus Encyclopedia, we will talk about low to high damaging Trojans that can be a threat to your personal financial information. We will talk about a family of Trojan that sends virus infection related fake alerts and convinces the users to buy programs after feeding their credit or debit card information.
Once known for its rapid dissemination, Trojan.FakeAlert.ZV has a low damaging impact still considered dangerous by security analysts. It is a malicious spyware Trojan that adopts malignant tricks to facilitate the downloading of malicious malware from the Internet. It compromises a computer‘s security by opening the firewalls and thereby it collects confidential information of the user. Hence, in the presence of this Trojan, the user might end up losing personal, financial, and other vital information. Thereby, it is highly recommended that user must take immediate measures to prevent or remove this Trojan as earliest as possible.
A Trojan.Fakealert infected PC gets slow in its performance. User might experience consistent lagging. Apart from this, the prime symptom is the frequent occurrence of warning alerts. These alerts warn you about the infection (viruses & Trojans) that has corrupted your PC. But these are fake alerts, which are actually hidden tricks to make you pay for antivirus software or programs that in fact don’t exist. Other symptoms include:
- New icons on your desktop
- Switching of browser homepage
- Desktop wallpaper might get changed
Trojan.FakeAlert.ZV can enable a hacker to gain remote access of the victim PC, which can permanently damage your system as you can never know what the hacker’s intension is and what he is capable of. Thereby, this Trojan is definitely jeopardizes the security of your PC. Removal of these spyware Trojans is bit difficult because, if the removal process gets wrong than these viruses can automatically repair themselves.
These Trojans get activated in your PC by generating fake warning messages. These messages show false alerts that your system has got infected with spyware and Trojans. If you click on these messages, it will run scan showing that some very dangerous viruses have infected your system. Through such tricks it intends to tricks you into buying AV software or programs that your PC actually don’t require.
Discovered on August 20, 2008 by Deac Razvan-Ioan, a well-known virus researcher, Trojan.Downloader.JKIZ is medium intensity malicious Trojan that spreads at a medium speed. It infects a PC by creating files in “%windir%\system32\debug.exe%windir%\system32\drivers\beep.sysrandom.”
These files are named as c:00F443C\1000516, beep.sys, etc. and get registered as a windows service. On being executed, this malware disables the Task Manager by creating the registry keys such as SoftWare\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe, and others.
The presence of this Trojan on your PC will execute the following symptoms:
- It will stop the functioning of Task Manager or antivirus software
- It will lead to the inflow of unrequested Internet traffic
- Following registry entries and files will get displayed in your PC:
On getting activated the Trojan.Downloader.JKIZ starts creating files at the following locations:
- random named files such as c:00F443C\1000516
These are all file beep.sys, which get registered in the infected PC as a windows service. Then eventually it creates the following registry keys:
After creating the registry keys, the malware disables the Task Manager and continues creating other infectious registry keys such as Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe. This kind of registry key is intended to disable antivirus software.
After making the AV program and Task Manager inactive, the original files delete themselves. Through this process, the Trojan prepares the affected PC for the safe downloading and running of malicious software. Without proper AV and Task Manager, downloading of malicious software gets very easy.
Discovered on 18th August 2008 by Barat Marius, virus researcher, Trojan.FakeAlert.AAH is again a malicious malware that sends fake alerts to the users warning them about virus and malware attacks. Through these alerts, these programs intend to persuade the users into paying for AV programs that are actually not needed in their PC. It is a highly damaging malware that also spreads at a high alarming rate. Hence, it is very important that to get rid of this Trojan as early as possible.
The presence of Trojan.FakeAlert.AAH causes the following symptoms on a victim PC:
- Without user consent, wallpaper gets changed
- Frequent occurring of fake antivirus program alerts warning the users about the presence of false viruses and Trojans
Once the Trojan.FakeAlert.AAH starts functioning within a computer, it drops in three files with random names under the “%system%” folder. One of these files is a .bmp file, which causes the change of wallpaper without user’s consent. The second file is the .scr file and the third one is an executable file. The third file is the copy of the virus. After processing the respective functions, the original files delete itself, and then it downloads software named “Antivirus XP 2008.” This AV software gets installed in any random named folder from %programfiles% folder.
This AV program starts making false scans and starts sending false alerts warning the users about false infections. The idea behind these false scans and alerts is to persuade the user in buying some AV programs that your computer actually doesn’t want.
Discovered on August 16, 2008 by Boeriu Laura, a virus researcher, Trojan.FakeAlert.AAF is quite similar to Trojan.FakeAlert.AAH as both belongs to the same family of malwares. However, unlike Trojan.FakeAlert.AAH, Trojan.FakeAlert.AAF is a low-intensity Trojan as it doesn’t spread at an alarming rate and also cause minimal damaging impact. However, the main goal of this Trojan is also to make the user pay for AV programs. However, the technical description of this Trojan is different from that of Trojan.FakeAlert.AAH.
The presence of Trojan.FakeAlert.AAF causes frequent occurring of fake antivirus program alerts that warn the users about the presence of false viruses and Trojans in their system. On clicking these warnings, fake scans will be run that will show up that various malicious malwares have infected the system.
The malware drops 2 the following files into the system directory:
The first file is a blue screen, Screen server joke from Sysinternals. It aims at scaring the users by informing that something has gone wrong with their computer which has resulted into blue screen. This file doesn’t damage the system.
The second file is just an image that contains the security warning which get displayed on the desktop. This image gets set as the current desktop wallpaper and create the following registry key.
This key ensures that each time the system reboots it the Trojan will run.
As the aforementioned malwares can risk your online financial security, hence it is important that you act smart on receiving virus infection related symptoms or alerts and cross-examine those to judge its authenticity. By staying vigilant and proactive, you can save your computer from disastrous Trojan or malware attacks that can ruin your vital information and data apart from software and hardware components.