Symptoms vary among different distributions of Win32/FakeRean, however, the presence of the following system changes (or similar) may indicate the presence of this program:
-
Presence of the following files, for example:
Binaries1.cab
Binaries2.cab
Binaries3.cab
%Program Files%\XP_AntiSpyware\AVEngn.dll
%Program Files%\XP_AntiSpyware\htmlayout.dll
%Program Files%\XP_AntiSpyware\pthreadVC2.dll
%Program Files%\XP_AntiSpyware\Uninstall.exe
%Program Files%\XP_AntiSpyware\wscui.cpl
%Program Files%\XP_AntiSpyware\XP_Antispyware.cfg
%Program Files%\XP_AntiSpyware\XP_AntiSpyware.exe
%Program Files%\XP_AntiSpyware\data\daily.cvd
%Program Files%\XP_AntiSpyware\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
%Program Files%\XP_AntiSpyware\Microsoft.VC80.CRT\msvcm80.dll
%Program Files%\XP_AntiSpyware\Microsoft.VC80.CRT\msvcp80.dll
%Program Files%\XP_AntiSpyware\Microsoft.VC80.CRT\msvcr80.dll
-
Presence of the following registry modifications:
Key: HKCU\Control Panel\don't load
Value: scui.cpl
Data: "No"
Value: wscui.cpl
Data: "No"
Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value: ForceClassicControlPanel
Data: 0x1
Key: HKLM\SOFTWARE\Microsoft\Security Center
Value: AntiVirusDisableNotify
Data: 0x1
Value: FirewallDisableNotify
Data: 0x1
Value: UpdatesDisableNotify
Data: 0x1
Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XP_AntiSpyware\
Value: DisplayName
Data: "XP Antispyware 2009"
Value: UninstallString
Data: "%Program Files%\XP_AntiSpyware\Uninstall.exe"
Key: HKLM\Software\XP_Antispyware
Value: info
Data: "<date installed>"
-
Presence of the following shortcuts:
%Start menu%\Programs\XP_AntiSpyware\XP_AntiSpyware.lnk
%Start menu%\Programs\XP_AntiSpyware\Uninstall.lnk
%Desktop%\XP_AntiSpyware.lnk
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\XP_AntiSpyware.lnk
-
Win32/FakeRean is a family of programs that claim to scan for malware and display fake warnings of malicious files. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats.
Installation
Win32/FakeRean installers download several archives in either ZIP or CAB format from a remote location via HTTP. For example:
- Binaries1.cab
- Binaries2.cab
- Binaries3.cab
The installer then extracts these files into a directory it creates under %program files%.
The installer may display a window before it begins downloading, for example:
While downloading, the installer may display a window like the following:
Different variants of Win32/FakeRean use different names and branding. The directories and file names used depend on the branding used by each variant.
For example, these files are installed by the variant that calls itself "XP Antispyware 2009":
%Program Files%\XP_AntiSpyware\AVEngn.dll
%Program Files%\XP_AntiSpyware\htmlayout.dll
%Program Files%\XP_AntiSpyware\pthreadVC2.dll
%Program Files%\XP_AntiSpyware\Uninstall.exe
%Program Files%\XP_AntiSpyware\wscui.cpl
%Program Files%\XP_AntiSpyware\XP_Antispyware.cfg
%Program Files%\XP_AntiSpyware\XP_AntiSpyware.exe
%Program Files%\XP_AntiSpyware\data\daily.cvd
%Program Files%\XP_AntiSpyware\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
%Program Files%\XP_AntiSpyware\Microsoft.VC80.CRT\msvcm80.dll
%Program Files%\XP_AntiSpyware\Microsoft.VC80.CRT\msvcp80.dll
%Program Files%\XP_AntiSpyware\Microsoft.VC80.CRT\msvcr80.dll
These files are installed by the variant that calls itself "AntispywareXP 2009":
%Program Files%\AntiSpywareXP2009\AVEngn.dll
%Program Files%\AntiSpywareXP2009\htmlayout.dll
%Program Files%\AntiSpywareXP2009\pthreadVC2.dll
%Program Files%\AntiSpywareXP2009\Uninstall.exe
%Program Files%\AntiSpywareXP2009\wscui.cpl
%Program Files%\AntiSpywareXP2009\AntiSpywareXP2009.cfg
%Program Files%\AntiSpywareXP2009\AntiSpywareXP2009.exe
%Program Files%\AntiSpywareXP2009\data\daily.cvd
%Program Files%\AntiSpywareXP2009\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
%Program Files%\AntiSpywareXP2009\Microsoft.VC80.CRT\msvcm80.dll
%Program Files%\AntiSpywareXP2009\Microsoft.VC80.CRT\msvcp80.dll
%Program Files%\AntiSpywareXP2009\Microsoft.VC80.CRT\msvcr80.dll
These files are installed by the variant that calls itself "PC Antispyware 2010":
%Programs%\PC_Antispyware2010
%Program Files%\PC_Antispyware2010
These files are installed by the variant that calls itself "Home Antivirus 2010":
%Programs%\HomeAntivirus2010\
%Program Files%\HomeAntivirus2010
These files are installed by the variant that calls itself "PC Security 2009":
%Programs%\PC_Security2009
%Program Files%\PC_Security2009
Win32/FakeRean also adds shortcuts to the current user's Start menu, desktop and quick launch bar, for example:
-
%Start menu%\Programs\XP_AntiSpyware\XP_AntiSpyware.lnk
-
%Start menu%\Programs\XP_AntiSpyware\Uninstall.lnk
-
%Desktop%\XP_AntiSpyware.lnk
-
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\XP_AntiSpyware.lnk
or
-
%Start menu%\Programs\AntiSpywareXP2009\AntiSpywareXP2009.lnk
-
%Start menu%\Programs\AntiSpywareXP2009\Uninstall.lnk
-
%Desktop%\AntiSpywareXP2009.lnk
-
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\AntiSpywareXP2009.lnk
or
or
or
Example desktop icon:
Payload
Displays Fake Alerts, and Fake Scanning Results
Win32/FakeRean adds a registry entry to launch its fake scanner automatically each time Windows starts. For example:
Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Value: XP Antispyware 2009
Data: ""%Program Files%\XP_AntiSpyware\XP_AntiSpyware.exe" /hide"
or
Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Value: AntiSpywareXP 2009
Data: ""%Program Files%\AntiSpywareXP2009\AntiSpywareXP2009.exe" /hide"
The fake scanner GUI may look like this, for example:
or this:
When a "scan" is completed, it displays a message like these examples:
Periodically it may display fake warning pop-ups from its system tray icon, for example:
Win32/FakeRean also installs a control panel applet which imitates the Windows security center:
- <system folder>\_scui.cpl
For example:
Clicking any of the buttons or links in this window merely opens the default browser and opens a page to buy the fake product online.
Modifies System Security Settings
In order to prevent the real Windows security center from being displayed in the control panel, Win32/FakeRean sets these registry entries:
Key: HKCU\Control Panel\don't load
Value: scui.cpl
Data: "No"
Value: wscui.cpl
Data: "No"
Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value: ForceClassicControlPanel
Data: 0x1
It also sets registry entries to stop notifications from the real security center:
Key: HKLM\SOFTWARE\Microsoft\Security Center
Value: AntiVirusDisableNotify
Data: 0x1
Value: FirewallDisableNotify
Data: 0x1
Value: UpdatesDisableNotify
Data: 0x1
Win32/FakeRean may also add an uninstall entry, for example:
Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XP_AntiSpyware\
Value: DisplayName
Data: "XP Antispyware 2009"
Value: UninstallString
Data: "%Program Files%\XP_AntiSpyware\Uninstall.exe"
or
Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiSpywareXP2009
Value: DisplayName
Data: "AntiSpywareXP 2009"
Value: UninstallString
Data: "%Program Files%\AntiSpywareXP2009\Uninstall.exe"
This usually does not uninstall the trojan; however, the shortcut added to the start menu ("Uninstall.lnk") may remove most of the program. The fake security center control panel applet (_scui.cpl) is left behind.
While Win32/FakeRean pretends to scan the machine, it may create files with randomly generated files names, which it fills with random "junk" bytes. These are the files it reports as threats, presumably to make its claims seem more plausible.
Additional Information
FakeRean may set a registry entry containing the date it was installed, for example:
Key: HKLM\Software\XP_Antispyware
Value: info
Data: "10/21/2008"
Analysis by Hamish O'Dea
Follow these general security tips to better protect your system:
-
Enable a firewall on your computer.
-
Get the latest computer updates.
-
Run an up-to-date scanning and removal tool.
-
Use caution with attachments and file transfers.
-
Use caution when clicking on links to web pages.
-
Protect yourself against social engineering attacks.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows Internet Connection Firewall.
To turn on the Windows Firewall in Windows Vista
-
Click Start, and click Control Panel.
-
Click Security.
-
Click Turn Windows Firewall on or off.
-
Select On.
-
Click OK.
To turn on the Internet Connection Firewall in Windows XP
-
Click Start, and click Control Panel.
-
Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
-
Click Change Windows Firewall Settings.
-
Select On.
-
Click OK.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. It is important to install updates for all the software that is installed in your computer. These are usually available from vendor websites.
You can use the Automatic Updates feature in Windows to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows Vista
-
Click Start, and click Control Panel.
-
Click System and Maintainance.
-
Click Windows Updates.
-
Select a setting. Microsoft recommends selecting Install updates automatically and choose a time that is convenient for you. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
To turn on Automatic Updates in Windows XP
-
Click Start, and click Control Panel.
-
Click System.
-
Click Automatic Updates.
-
Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
Run an up-to-date scanning and removal tool
Most scanning and removal software can detect and prevent the installation of known malicious software and potentially unwanted software such as adware or spyware. You should frequently run a scanning and removal tool that is updated with the latest signature files.
For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.
Use caution with attachments and file transfers
Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources..
Use caution when clicking on links to web pages
Exercise caution with links to web pages that you receive from unknown sources, especially if the links are to a web page that you are not familiar with or are suspicious of. Malicious software may be installed in your system simply by visiting a web page with harmful content.
Protect yourself from social engineering attacks.
While attackers may attempt to exploit vulnerabilities in hardware or software in order to compromise a system, they also attempt to exploit vulnerabilities in human behavior in order to do the same. When an attacker attempts to take advantage of human behavior in order to persuade the affected user to perform an action of the attacker's choice, it is known as 'social engineering'. Essentially, social engineering is an attack against the human interface of the targeted system. For more information, please see our article '
What is social engineering?'.
