Installation
Win32/FakeSecSen usually installs six files. For example, when distributed as Micro AV, FakeSecSen installs the following files:
-
microav.exe – The main executable file. It shows the fake scanner interface, an associated icon on the system tray, and other fake infection warnings.
-
microav.cpl – A control panel applet that adds an entry to the control panel called, for example, MS AV, with the icon of the Windows Security Center. When run, it launches the main executable.
-
microav0.dat and microav1.dat – These files contain the malware information to report. There is no actual scanning done, all of the entries in these DAT files are reported.
-
microav.ooo – a harmless file usually only a few bytes long.
-
microantivirus.lnk – a desktop shortcut pointing to the main executable.
Examples of these can be seen below:
All of the files are installed into a directory under your program files directory except for the shortcut which is placed on your desktop.
The .cpl file, in this example microav.cpl is also copied to the <system folder>.
It changes the following registry entries so that it runs each time you start your PC:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "
ANTIVIRUS"
With data: "
%ProgramFiles%\MicroAntivirus\microAV.exe"
In subkey:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "
ANTIVIRUS"
With data: "
%ProgramFiles%\MicroAntivirus\microAV.exe"
It also sets the following registry entry:
In subkey: HKLM\SOFTWARE\Classes\.key
Sets value: "(default)"
With data: "0"
Examples
Additional examples of filenames, registry modifications, interfaces, fake alerts, false scanning results, icons and pop-ups used by this group of rogue antivirus programs are provided below.
Note that while these programs can appear to be different, the differences are only superficial - these programs are essentially identical.
MS Antivirus
We've seen Win32/FakeSecSen use the following file names when distributed as MS Antivirus:
The malware also modifies the following registry entries as a part of its malicious routine when distributed as MS Antivirus:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ANTIVIRUS"
With data: "%ProgramFiles%\MS Antivirus\MSA.exe"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ANTIVIRUS"
With data: "%ProgramFiles%\MS Antivirus\MSA.exe"
Examples of interface, fake alerts, false scanning results, icons and pop-ups used by Win32/FakeSecSen when distributed as MS Antivirus:
Spyware Preventer
We've seen Win32/FakeSecSen use the following file names when distributed Spyware Preventer:
The malware also modifies the following registry entries as a part of its malicious routine when distributed as Spyware Preventer:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ANTIVIRUS"
With data: "%ProgramFiles%\SPP\SPP.exe"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ANTIVIRUS"
With data: "%ProgramFiles%\SPP\SPP.exe"
Examples of interface, fake alerts, false scanning results, icons and pop-ups used by Win32/FakeSecSen when distributed as Spyware Preventer:
Vista Antivirus 2008
We've seen Win32/FakeSecSen use the following file names when when distributed as Vista Antivirus 2008:
The malware also modifies the following registry entries as a part of its malicious routine when distributed as Vista Antivirus 2008:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ANTIVIRUS"
With data: "%ProgramFiles%\VAV\vav.exe"
Under key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ANTIVIRUS"
With data: ""%ProgramFiles%\VAV\vav.exe"
Examples of interface, fake alerts, false scanning results, icons and pop-ups used by Win32/FakeSecSen when distributed as Vista Antivirus 2008:
Advanced Antivirus
We've seen Win32/FakeSecSen use the following file names when when distributeddistributed as Advanced Antivirus:
The malware also modifies the following registry entries as a part of its malicious routine when distributed as Advanced Antivirus:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ANTIVIRUS"
With data: "%ProgramFiles%\aav\aav.exe"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ANTIVIRUS"
With data: "%ProgramFiles%\aav\aav.exe"
Examples of interface, fake alerts, false scanning results, icons and pop-ups used by Win32/FakeSecSen when distributed as Advanced Antivirus:
System Antivirus
We've seen Win32/FakeSecSen use the following file names when when distributedas System Antivirus:
The malware also modifies the following registry entries as a part of its malicious routine when distributed as System Antivirus:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ANTIVIRUS"
With data: "%ProgramFiles%\sav\sav.exe"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ANTIVIRUS"
With data: "%ProgramFiles%\sav\sav.exe"
Examples of interface, fake alerts, false scanning results, icons and pop-ups used by Win32/FakeSecSen when distributed as System Antivirus:
Ultimate Antivirus 2008
The following filenames may be used by Win32/FakeSecSen when distributed as Ultimate Antivirus 2008:
The malware also modifies the following registry entries as a part of its malicious routine when distributed as Ultimate Antivirus 2008:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ANTIVIRUS"
With data: "%ProgramFiles%\UAV\uav.exe"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ANTIVIRUS"
With data: "%ProgramFiles%\UAV\uav.exe"
Examples of interface, fake alerts, false scanning results, icons and pop-ups used by Win32/FakeSecSen when distributed as Ultimate Antivirus 2008:
Windows Antivirus 2008
We've seen Win32/FakeSecSen use the following file names when when distributed as Windows Antivirus 2008:
The malware also modifies the following registry entries as a part of its malicious routine when distributed as Windows Antivirus 2008:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ANTIVIRUS"
With data: "%ProgramFiles%\WAV\wav.exe"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ANTIVIRUS"
With data: "%ProgramFiles%\WAV\wav.exe"
Examples of interface, fake alerts, false scanning results, icons and pop-ups used by Win32/FakeSecSen when distributed as Windows Antivirus 2008:
XPert Antivirus
We've seen Win32/FakeSecSen use the following file names when when distributed as XPert Antivirus:
The malware also modifies the following registry entries as a part of its malicious routine when distributed as XPert Antivirus:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ANTIVIRUS"
With data: "%ProgramFiles%\XPA\XPA.exe"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ANTIVIRUS"
With data: "%ProgramFiles%\XPA\XPA.exe"
Examples of interface, fake alerts, false scanning results, icons and pop-ups used by Win32/FakeSecSen when distributed as XPert Antivirus:
Power Antivirus
We've seen Win32/FakeSecSen use the following file names when when distributed as Power Antivirus:
or
The malware also modifies the following registry entries as a part of its malicious routine when distributed as Power Antivirus:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ANTIVIRUS"
With data: "%ProgramFiles%\PWA\PWA.exe"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ANTIVIRUS"
With data: "%ProgramFiles%\PWA\PWA.exe"
or
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ANTIVIRUS"
With data: "%ProgramFiles%\PWX\PWX.exe"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ANTIVIRUS"
With data: "%ProgramFiles%\PWX\PWX.exe"
Examples of interface, fake alerts, false scanning results, icons and pop-ups used by Win32/FakeSecSen when distributed as Power Antivirus:
Ultra Antivirus 2009
We've seen Win32/FakeSecSen use the following file names when when distributed as Ultra Antivirus 2009:
The malware also modifies the following registry entries as a part of its malicious routine when distributed as Ultra Antivirus 2009:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ANTIVIRUS"
With data: "%ProgramFiles%\UltraAV\UltraAV.exe"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ANTIVIRUS"
With data: "%ProgramFiles%\UltraAV\UltraAV.exe"
Examples of interface, fake alerts, false scanning results, icons and pop-ups used by Win32/FakeSecSen when distributed as Ultra Antivirus 2009:
AntiVirus Sentry
We've seen Win32/FakeSecSen use the following file names when when distributed as Antivirus Sentry:
The malware also modifies the following registry entries as a part of its malicious routine when distributed as Antivirus Sentry:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ANTIVIRUS"
With data: "%ProgramFiles%\AVS\AVS.exe"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ANTIVIRUS"
With data: "%ProgramFiles%\AVS\AVS.exe"
Examples of interface, fake alerts, false scanning results, icons and pop-ups used by Win32/FakeSecSen when distributed as Antivirus Sentry:
Analysis by Hamish O'Dea