Follow:

 

Rogue:VBS/FakePAV


Microsoft security software detects and removes this threat.

This threat is a file that is used to download rogue security software programs that we detect as Win32/FakePav.

See the Win32/FakePAV description for more information.

Find out ways that malware can get on your PC.  



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

This threat is a file that is used to download rogue security software programs that we detect as Win32/FakePav.

It is a .vbe file that is encoded with Visual Basic script (VBS).

When run, the file tries to connect to a predefined server that is encoded in the file, hence the server changes between versions. It tries to download a file from the server, which it saves to the %TEMP% folder as a .exe file.

We have seen it download setup.exe.vbe from the following servers and files:

  • <hexadecimal value>-19dc26c51ead3b4fd8eb395f59b15bcb.r59.cf2.rackcdn.com/setup.exe
  • <hexadecimal value>-7e5e590511867516e679d8131e8f65d1.r13.cf2.rackcdn.com/b661d395113bc6c61ef19ba9062e6352.exe
  • <hexadecimal value>-a941e09a8ebc3a85367c1ba4d545bd67.r11.cf2.rackcdn.com/7b46a66b3ce37eb916e5e89b76968f48.exe
  • <hexadecimal value>-a941e09a8ebc3a85367c1ba4d545bd67.r11.cf2.rackcdn.com/c9b969ce1676e613b12357501d9aa80a.exe

The downloaded file installs the Win32/FakePav rogue onto your PC.

Additional information

It uses the document object model (DOM) controls MSXML2.XMLHXXP and ADODB.Stream for communication and file transfer purposes to download the .exe file.

Some variants use signed VBS files.

Analysis by Wei Li


Prevention


Alert level: Severe
First detected by definition: 1.165.3912.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Feb 12, 2014
This entry was first published on: Feb 20, 2014
This entry was updated on: Aug 25, 2014

This threat is also detected as:
No known aliases