Rogue:Win32/Fakeinit is a trojan that displays fake warnings of “malicious programs and viruses”. It may download a fake scanner that informs the user that they need to pay money to register the software and remove these non-existent threats. Rogue:Win32/Fakeinit also terminates certain processes, lowers security settings, changes the desktop background, and attempts to download other malware such as
Rogue:Win32/Fakeinit and
Trojan:Win32/Alureon.CT.
Installation
Rogue:Win32/Fakeinit copies itself as the following files:
- <system folder>\smss32.exe
- <system folder>\winlogon32.exe
These file names should not be confused with legitimate Windows files that have similar names ("smss.exe"and "winlogon.exe").
<system folder>\warnings.html
%AppData%\Microsoft\Internet Explorer\Desktop.htt
Rogue:Win32/Fakeinit makes the following registry changes to ensure that it is run every time Windows starts:
Adds value: "smss32.exe"
With data: "<system folder>\smss32.exe"
In subkeys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: "Userinit"
With data: "<system folder>\winlogon32.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Payload
Displays fake warning messages
Rogue:Win32/Fakeinit periodically displays messages suggesting that the computer is infected and that the user should download tools to remove the problem. These messages may be in the form of message boxes or system tray balloons such as the following:
The desktop background is also changed to display the following message:
It does so using the Desktop.htt and warnings.html files dropped earlier, and by making the following registry changes:
Adds value: "TileWallpaper"
With data: "0"
Adds value: "WallpaperStyle"
With data: "2"
Adds value: "Wallpaper"
With data: "%systemRoot%\system32\warnings.html"
Adds value: "BackupWallpaper"
With data: "%systemRoot%\web\wallpaper\Bliss.bmp"
Adds value: "WallpaperFileTime"
With data: "<8 bytes>"
Adds value: "WallpaperLocalFileTime"
With data: "<8 bytes>"
In subkey: HKCU\Software\Microsoft\Internet Explorer\Desktop\General
Adds value: "TileWallpaper"
With data: "0"
Adds value: "WallpaperStyle"
With data: "2"
Adds value: "Wallpaper"
With data: "C:\WINDOWS\web\wallpaper\Bliss.bmp"
In subkey: HKCU\Control Panel\Desktop
It prevents the user from changing this background by making the following changes to the registry:
Adds value: "NoSetActiveDesktop"
With data: "1"
Adds value: "NoChangingWallpaper"
With data: "1"
Adds value: "NoActiveDesktopChanges"
With data: "1"
In subkeys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Downloads and executes arbitrary files
Rogue:Win32/Fakeinit contacts one or more servers from which it may download a number of files. As of this writing, some of the servers used are "for-sunny-se.com" and "winter-smile.com".
It saves the downloaded files to locations such as the following:
- <system folder>\helpers32.dll
- <system folder>\ES15.exe
- <system folder>\41.exe
It then registers the DLL file, which acts as a Layered Service Provider that may block access to certain Web sites. For more details please refer to the
Rogue:Win32/Fakeinit description.
Should the user click on the warnings displayed above, Rogue:Win32/Fakeinit copies the downloaded Fakeinit component to <system folder>\<5 digit random number>.exe and executes it to install the fake security software. The fake security software has been observed to use names such as "Internet Security 2010" and "Security Essentials 2010".
Terminates processes
Rogue:Win32/Fakeinit monitors running processes and terminates any process from the list below, displaying the following message box in an attempt to convince the user that their system is infected:
acrord32.exe
advanceddvdplayer.exe
calc.exe
chrome.exe
clonecd.exe
cmd.exe
control.exe
digitaleditions.exe
excel.exe
freecell.exe
fulltiltpoker.exe
gom.exe
googleearth.exe
hrtzzm.exe
icq.exe
illustrator.exe
la.exe
miranda32.exe
moviemk.exe
mplay32.exe
mplayer2.exe
mplayerc.exe
msconfig.exe
mshearts.exe
msimn.exe
msmsgs.exe
msnmsgr.exe
mspaint.exe
msworks.exe
nero.exe
neroexpressportable.exe
nfs.exe
notepad.exe
ois.exe
outlook.exe
photoshop.exe
pinball.exe
pokerstars.exe
powerdvd.exe
powerpnt.exe
powerpoi.exe
quicktimeplayer.exe
realplay.exe
realplayer.exe
recordingmanager.exe
regclonecd.exe
regedit.exe
rstrui.exe
rwcrun.exe
rwiperun.exe
setup_wm.exe
shvlzm.exe
sidebar.exe
skype.exe
skypepm.exe
sndvol32.exe
sol.exe
spider.exe
taskmgr.exe
thebat.exe
tvp.exe
utorrent.exe
vmware.exe
winamp.exe
windowsanytimeupgradeui.exe
windvd.exe
winmine.exe
winrar.exe
winword.exe
wmplayer.exe
word.exe
wupdmgr.exe
Disables Task Manager and Phishing Filter, and lowers computer security settings
Rogue:Win32/Fakeinit attempts to disable Internet Explorer’s Phishing Filter by making the following registry changes:
Adds value: "Enabled"
With data: "0"
Adds value: "EnabledV8"
With data: "0"
In subkey: HKCU\Software\Microsoft\Internet Explorer\PhishingFilter
Adds value: "EnabledV8"
With data: "0"
In subkey: HKLM\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter
It attempts to disable Task Manager with the following change:
Adds value: "DisableTaskMgr"
With data: "1"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
It attempts to place sites used by the particular variant of Win32/Fakeinit into the Trusted Sites Zone:
Adds value: "http"
With data: "2"
In subkeys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-security-essentials.com
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-security-essentials.com
Adds value: "http"
With data: "2"
In subkeys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\get-key-se10.com
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\get-key-se10.com
Adds value: "http"
With data: "2"
In subkeyS:
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ download-soft-package.com
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ download-soft-package.com
Adds value: "Flag"
With data: "67"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Analysis by David Wood
