Alert level

Rogue:Win32/FakeRean

(?)

Encyclopedia entry
Updated: Mar 21, 2013  |  Published: Feb 08, 2011

Aliases
  • Trojan:Win32/FakeRean (Microsoft)
  • Win32/FakeRean (Microsoft)
  • Antispyware Vista (other)
  • Antispyware Win 7 (other)
  • Antispyware XP (other)
  • AntiSpyware XP 2009 (other)
  • Antivirus Pro 2010 (other)
  • AntiVirus Studio 2010 (other)
  • Antivirus Vista (other)
  • Antivirus Vista 2010 (other)
  • Antivirus Win 7 (other)
  • Antivirus Win 7 2010 (other)
  • Antivirus XP (other)
  • Antivirus XP 2010 (other)
  • Desktop Defender 2010 (other)
  • Desktop Security 2010 (other)
  • Home Antivirus 2010 (other)
  • PC Antispyware 2010 (other)
  • PC Security 2009 (other)
  • Privacy Protection (other)
  • Security Central (other)
  • Security Protection (other)
  • Security Solution 2011 (other)
  • Smart Security 2010 (other)
  • Spyware Protection (other)
  • Total PC Defender (other)
  • Total PC Defender 2010 (other)
  • Total Vista Security (other)
  • Total Win 7 Security (other)
  • Total XP Security (other)
  • Vista AntiMalware (other)
  • Vista AntiMalware 2010 (other)
  • Vista Anti-Spyware (other)
  • Vista Antispyware 2010 (other)
  • Vista Antispyware 2011 (other)
  • Vista Anti-Spyware 2011 (other)
  • Vista Antispyware 2012 (other)
  • Vista Antivirus (other)
  • Vista Antivirus 2010 (other)
  • Vista Antivirus 2011 (other)
  • Vista Anti-Virus 2011 (other)
  • Vista Antivirus 2012 (other)
  • Vista Antivirus Pro (other)
  • Vista Antivirus Pro 2010 (other)
  • Vista Defender (other)
  • Vista Defender 2010 (other)
  • Vista Defender Pro (other)
  • Vista Guard (other)
  • Vista Guardian (other)
  • Vista Guardian 2010 (other)
  • Vista Home Security (other)
  • Vista Home Security 2011 (other)
  • Vista Home Security 2012 (other)
  • Vista Internet Security (other)
  • Vista Internet Security 2010 (other)
  • Vista Internet Security 2011 (other)
  • Vista Internet Security 2012 (other)
  • Vista Security (other)
  • Vista Security 2011 (other)
  • Vista Security 2012 (other)
  • Vista Security Tool (other)
  • Vista Security Tool 2010 (other)
  • Vista Smart Security (other)
  • Vista Smart Security 2010 (other)
  • Vista Total Security (other)
  • Vista Total Security 2011 (other)
  • Vista Total Security 2012 (other)
  • Win 7 AntiMalware (other)
  • Win 7 AntiMalware 2010 (other)
  • Win 7 Anti-Spyware (other)
  • Win 7 Antispyware 2010 (other)
  • Win 7 Anti-Spyware 2011 (other)
  • Win 7 Antispyware 2012 (other)
  • Win 7 Antivirus (other)
  • Win 7 Antivirus 2010 (other)
  • Win 7 Anti-Virus 2011 (other)
  • Win 7 Antivirus 2012 (other)
  • Win 7 Antivirus Pro (other)
  • Win 7 Antivirus Pro 2010 (other)
  • Win 7 Antivirus Pro 2013 (other)
  • Win 7 Antivirus Security Pro 2013 (other)
  • Win 7 Defender (other)
  • Win 7 Defender 2010 (other)
  • Win 7 Defender Pro (other)
  • Win 7 Guard (other)
  • Win 7 Guardian (other)
  • Win 7 Guardian 2010 (other)
  • Win 7 Home Security (other)
  • Win 7 Home Security 2011 (other)
  • Win 7 Home Security 2012 (other)
  • Win 7 Internet Security (other)
  • Win 7 Internet Security 2010 (other)
  • Win 7 Internet Security 2011 (other)
  • Win 7 Internet Security 2012 (other)
  • Win 7 Security (other)
  • Win 7 Security 2011 (other)
  • Win 7 Security 2012 (other)
  • Win 7 Security Center (other)
  • Win 7 Security Tool (other)
  • Win 7 Security Tool 2010 (other)
  • Win 7 Smart Security (other)
  • Win 7 Smart Security 2010 (other)
  • Win 7 Total Security (other)
  • Win 7 Total Security 2011 (other)
  • Win 7 Total Security 2012 (other)
  • XP AntiMalware (other)
  • XP AntiMalware 2010 (other)
  • XP Anti-Spyware (other)
  • XP AntiSpyware 2009 (other)
  • XP Antispyware 2010 (other)
  • XP Antispyware 2011 (other)
  • XP Anti-Spyware 2011 (other)
  • XP Antispyware 2012 (other)
  • XP Antivirus 2010 (other)
  • XP Antivirus 2011 (other)
  • XP Anti-Virus 2011 (other)
  • XP Antivirus 2012 (other)
  • XP Antivirus Pro (other)
  • XP Antivirus Pro 2010 (other)
  • XP Defender (other)
  • XP Defender 2010 (other)
  • XP Defender Pro (other)
  • XP Defender Pro 2010 (other)
  • XP Guard (other)
  • XP Guardian (other)
  • XP Guardian 2010 (other)
  • XP Home Security (other)
  • XP Home Security 2011 (other)
  • XP Home Security 2012 (other)
  • XP Internet Security (other)
  • XP Internet Security 2010 (other)
  • XP Internet Security 2011 (other)
  • XP Internet Security 2012 (other)
  • XP Police Antivirus (other)
  • XP Security (other)
  • XP Security 2011 (other)
  • XP Security 2012 (other)
  • XP Security Center (other)
  • XP Security Tool (other)
  • XP Security Tool 2010 (other)
  • XP Smart Security (other)
  • XP Smart Security 2010 (other)
  • XP Total Security (other)
  • XP Total Security 2011 (other)
  • XP Total Security 2012 (other)
  • Smart Security (other)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.151.482.0
Released: May 20, 2013 		Detection initially created:
Definition: 1.45.398.0
Released: Oct 09, 2008

 

Summary

Win32/FakeRean is a family of rogue antivirus(fake scanners) that claim to scan your computer for malware, and display fake warnings of malicious files. They then inform you that you need to pay money to register the software in order to remove these non-existent threats. Different variants may modify various settings on your computer, terminate programs or system services, or block access to websites.


Top

 

Symptoms

Symptoms vary among different subfamilies and variants of Win32/FakeRean; below are some common variants we see in the wild

Please see the relevant ecyclopedia entry for a list of specific infection symptoms.


Top

 

Technical Information (Analysis)

Win32/FakeRean is a family of rogue malware - fake scanners - that claim to scan your computer for malware, and display fake warnings of malicious files. They then inform you that you need to pay money to register the software in order to remove these non-existent threats. Different variants may modify various settings on your computer, terminate programs or system services, or block access to websites.

In the wild, we have observed Win32/FakeRean being installed onto computers by exploit kits such as Blacole or Incognito, or by being downloaded and installed by other malware. Malware we have observed downloading FakeRean includes, but is not limited to, the following:

Note that some of these malware families may no longer be active, or may no longer be downloading Win32/FakeRean.

For more details on protecting your computer from vulnerabilities being exploited by the Blacole exploit kit, or other exploit kits, please see the Blacole description elsewhere in the encyclopedia.

Earlier versions of FakeRean were also installed after users were tricked into downloading the malware, after visiting a webpage that displayed messages or graphics that led them to believe that their computer had a malware infection.

FakeRean brands

The Win32/FakeRean family covers a number of different brands of fake scanner. The details of how and where the malware is installed, or the other effects it has on the infected computer, will differ depending on the variant.

Each brand changes its name from time to time, but the appearance of the fake scanner and its behavior are very similar. It may change its installation directory, file names, or registry entry names to reflect the new name.

Privacy Protection / Security Protection

For example, one variant uses names such as Privacy Protection or Security Protection. Their fake scanners are similar apart from the name displayed.

Privacy Protection may be installed to %AppData%\privacy.exe. It creates the following registry entry to ensure that it runs at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Privacy Protection"
With data: %AppData%\privacy.exe

 Security Protection instead uses a file name of defender.exe and creates the following registry entry:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Security Protection"
With data: %AppData%\defender.exe

This variant may attempt to terminate certain processes. You can circumvent this by making a copy of the program you want to run, renaming it to svchost.exe, then running the renamed copy.

Note: Do not place this copy in the <system folder> directory.

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

For more details of this variant, please visit the Privacy Protection or Security Protection descriptions elsewhere in the encyclopedia.

Other names that are being used by this variant at the time of publication include:

  • Malware Protection
  • Total PC Defender
  • Internet Security

Antivirus Protection 2012

Antivirus Protection 2012's installer drops a number of files to a folder, such as %AppData%\Antivirus Protection 2012 or %AppData%\Antivirus Protection 2012 Tm.

It may also create the following files:

  • IcoActivate.ico (icon file)
  • IcoHelp.ico (icon file)
  • IcoUninstall.ico (icon file)
  • AntivirusProtection2012.exe (fake scanner)
  • securitymanager.exe (monitors the installed file)
  • securityhelper.exe (copy of the installer)

It adds a number of registry entries to ensure that its various components are run at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Antivirus Protection 2012"
With data: "%AppData%\Antivirus Protection 2012\AntivirusProtection2012.exe" /STARTUP
Sets value: "Antivirus Protection 2012 SM"
With data: "%AppData%\Antivirus Protection 2012\securitymanager.exe"
Sets value: "Antivirus Protection 2012 SH"
With data: "%AppData%\Antivirus Protection 2012\securityhelper.exe"

Along with creating files to add desktop shortcuts and start menu items.

This rogue may also disable certain services, and remove the registry entry which allows Windows Defender to run each time the computer starts.

For more details of this variant, please see the Antivirus Protection 2012 description elsewhere in the encyclopedia.

Other names that are being used by this variant at the time of publication include:

  • AntiVirus 2010
  • AntiVirus AntiSpyware 2011
  • Antivirus Protection
  • AntiVirus Studio 2010
  • Antivirus System 2011
  • AV Protection 2012
  • Desktop Security
  • Desktop Security 2010
  • Security Monitor
  • Security Monitor 2012
  • Security Solution

XP Home Security 2012 (and others)

This variant of Win32/FakeRean has been distributed with many different names. The user interface and some other details vary to reflect each variant’s individual branding. These variants choose a name at random, from a number of possibilities determined by the operating system of the affected system. Please see below for all the possible combinations that may be used to brand the interface and associated content, including websites, etc. in recent variants:

Platform: Windows 7
Platform: Windows Vista
Platform: Windows XP

 Antispyware Win 7

 Antispyware Vista

 Antispyware XP

 Antivirus Win 7 2010

 Antivirus Vista

 AntiSpyware XP 2009

 Total Win 7 Security

 Antivirus Vista 2010

 Antivirus XP

 Win 7 AntiMalware

 Total Vista Security

 Antivirus XP 2010

 Win 7 AntiMalware 2010

 Vista AntiMalware

 Total XP Security

 Win 7 Anti-Spyware

 Vista AntiMalware 2010

 XP AntiMalware

 Win 7 Antispyware 2010

 Vista Anti-Spyware

 XP AntiMalware 2010

 Win 7 Anti-Spyware 2011

 Vista Antispyware 2010

 XP Anti-Spyware

 Win 7 Antispyware 2012

 Vista Antispyware 2011

 XP AntiSpyware 2009

 Win 7 Antivirus

 Vista Anti-Spyware 2011

 XP Antispyware 2010

 Win 7 Antivirus 2010

 Vista Antispyware 2012

 XP Antispyware 2011

 Win 7 Anti-Virus 2011

 Vista Antivirus

 XP Anti-Spyware 2011

 Win 7 Antivirus 2012

 Vista Antivirus 2010

 XP Antispyware 2012

 Win 7 Antivirus Pro

 Vista Antivirus 2011

 XP Anti-Spyware XP Anti-Spyware

 Win 7 Antivirus Pro 2010

 Vista Anti-Virus 2011

 XP Antivirus 2010

 Win 7 Defender

 Vista Antivirus 2012

 XP Antivirus 2011

 Win 7 Defender 2010

 Vista Antivirus Pro

 XP Anti-Virus 2011

 Win 7 Defender Pro

 Vista Antivirus Pro 2010

 XP Antivirus 2012

 Win 7 Guard

 Vista Defender

 XP Antivirus Pro

 Win 7 Guardian

 Vista Defender 2010

 XP Antivirus Pro 2010

 Win 7 Guardian 2010

 Vista Defender Pro

 XP Defender

 Win 7 Home Security

 Vista Guard

 XP Defender 2010

 Win 7 Home Security 2011

 Vista Guardian

 XP Defender Pro

 Win 7 Home Security 2012

 Vista Guardian 2010

 XP Defender Pro 2010

 Win 7 Internet Security

 Vista Home Security

 XP Guard

 Win 7 Internet Security 2010

 Vista Home Security

 XP Guardian

 Win 7 Internet Security 2011

 Vista Home Security 2011

 XP Guardian 2010

 Win 7 Internet Security 2012

 Vista Home Security 2012

 XP Home Security

 Win 7 Security

 Vista Internet Security

 XP Home Security 2011

 Win 7 Security 2011

 Vista Internet Security 2010

 XP Home Security 2012

 Win 7 Security 2012

 Vista Internet Security 2011

 XP Internet Security

 Win 7 Security Center

 Vista Internet Security 2012

 XP Internet Security 2010

 Win 7 Security Tool

 Vista Security

 XP Internet Security 2011

 Win 7 Security Tool 2010

 Vista Security 2011

 XP Internet Security 2012

 Win 7 Smart Security

 Vista Security 2012

 XP Police Antivirus

 Win 7 Smart Security 2010

 Vista Security Tool

 XP Security

 Win 7 Total Security

 Vista Security Tool 2010

 XP Security 2011

 Win 7 Total Security 2011

 Vista Smart Security

 XP Security 2012

 Win 7 Total Security 2012

 Vista Smart Security 2010

 XP Security Center

 

 Vista Total Security

 XP Security Tool

 Vista Total Security 2011

 XP Security Tool 2010

 Vista Total Security 2012

 XP Smart Security

 

XP Smart Security 2010

 XP Total Security

 XP Total Security 2011

 XP Total Security 2012

 

The image below depicts the "XP Home Security 2012" branding.

When run, the malware copies itself to a location such as %AppData%\<three lowercase characters>.exe (for example, %AppData%\qkm.exe).

This variant may also modify security settings and block access to programs and websites. For more details, please see the XP Home Security 2012 description elsewhere in the encyclopedia.

XP Antispyware 2009

Earlier variants exhibited different behavior. Please see the XP AntiSpyware 2009 description elsewhere in the encyclopedia for more details.

Analysis by David Wood


Top

 

Prevention

Take these steps to help prevent infection on your computer.


Top

 

Recovery

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.


Top

Provide feedback