Trojan:Win32/FakeHadoc is a trojan that displays fabricated reports of disk errors in order to entice the user to pay to register the program. The trojan persistently terminates numerous processes such as Windows Registry Editor, Internet Explorer, Windows Task Manager and other utilities and applications.
The trojan checks if there are eight files (including shortcuts) in the affected user's desktop folder; if there are eight or more files, the trojan proceeds with its installation process. If there are fewer than eight files, the trojan exits.
When executed, the trojan copies itself to:
Trojan:Win32/FakeHadoc adds the following shortcuts to the desktop and programs folder:
The trojan makes the following registry modifications in order to run its own
dropped copy at each Windows start in place of the default Windows shell "Explorer.exe":
In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "%APPDATA%\hdddoctor.exe"
It also creates the following empty file:
When the trojan first runs, and periodically after that, it displays a message that claims there was a "serious system error" and that Windows needs to restart. It then counts down from 40 seconds and restarts the computer.
Win32/FakeHadoc continually enumerates running processes. If it finds a process whose name contains one of the following strings, it immediately terminates it:
When the trojan terminates an application, it displays an error that claims that the program could not be found.
Clicking the "Remind Later" button closes the warning, but any programs that the trojan terminates will continue to be terminated as soon as they try to run, which means they are effectively blocked.
If the user clicks the "Scan disk now" button, the trojan pretends to scan the computer, and then encourages the user to install a program called "HDD Doctor".
If the user clicks "Yes", the trojan displays a new window called "HDD Doctor", which displays more bogus hard drive errors, before leading the user, through several dialog boxes, towards paying to "activate" the program in order to fix the errors.
Analysis by Hamish O'Dea