Follow:

 

TrojanDownloader:Win32/Fakeinit


This threat has been renamed to Rogue:Win32/Fakeinit.
 
Rogue:Win32/Fakeinit is a trojan that displays fake warnings of “malicious programs and viruses”. It may download a fake scanner that informs the user that they need to pay money to register the software and remove these non-existent threats. Rogue:Win32/Fakeinit also terminates certain processes, lowers security settings, changes the desktop background, and attempts to download other malware such as Rogue:Win32/Fakeinit and Trojan:Win32/Alureon.CT.
 
Note: Reports of Rogue Antivirus programs have been more prevalent as of late.  These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software.  Some of these programs, such as Trojan:Win32/Antivirusxp and Program:Win32/FakeRednefed may display product names or logos in an apparently unlawful attempt to impersonate Microsoft products. 
 
To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Rogue:Win32/Fakeinit is a trojan that displays fake warnings of “malicious programs and viruses”. It may download a fake scanner that informs the user that they need to pay money to register the software and remove these non-existent threats. Rogue:Win32/Fakeinit also terminates certain processes, lowers security settings, changes the desktop background, and attempts to download other malware such as Rogue:Win32/Fakeinit and Trojan:Win32/Alureon.CT.
Installation
Rogue:Win32/Fakeinit copies itself as the following files:
 
  • <system folder>\smss32.exe
  • <system folder>\winlogon32.exe
 
These file names should not be confused with legitimate Windows files that have similar names ("smss.exe"and "winlogon.exe").
 
It also creates the following files, which may be detected as Rogue:HTML/Fakeinit:
 
<system folder>\warnings.html
%AppData%\Microsoft\Internet Explorer\Desktop.htt
 
Rogue:Win32/Fakeinit makes the following registry changes to ensure that it is run every time Windows starts:
 
Adds value: "smss32.exe"
With data: "<system folder>\smss32.exe"
In subkeys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
Adds value: "Userinit"
With data: "<system folder>\winlogon32.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
 
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Payload
Displays fake warning messages
Rogue:Win32/Fakeinit periodically displays messages suggesting that the computer is infected and that the user should download tools to remove the problem. These messages may be in the form of message boxes or system tray balloons such as the following:
 
 
 
The desktop background is also changed to display the following message:
 
 
It does so using the Desktop.htt and warnings.html files dropped earlier, and by making the following registry changes:
 
Adds value: "TileWallpaper"
With data: "0"
Adds value: "WallpaperStyle"
With data: "2"
Adds value: "Wallpaper"
With data: "%systemRoot%\system32\warnings.html"
Adds value: "BackupWallpaper"
With data: "%systemRoot%\web\wallpaper\Bliss.bmp"
Adds value: "WallpaperFileTime"
With data: "<8 bytes>"
Adds value: "WallpaperLocalFileTime"
With data: "<8 bytes>"
In subkey: HKCU\Software\Microsoft\Internet Explorer\Desktop\General
 
Adds value: "TileWallpaper"
With data: "0"
Adds value: "WallpaperStyle"
With data: "2"
Adds value: "Wallpaper"
With data: "C:\WINDOWS\web\wallpaper\Bliss.bmp"
In subkey: HKCU\Control Panel\Desktop
 
It prevents the user from changing this background by making the following changes to the registry:
 
Adds value: "NoSetActiveDesktop"
With data: "1"
Adds value: "NoChangingWallpaper"
With data: "1"
Adds value: "NoActiveDesktopChanges"
With data: "1"
In subkeys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
 
Downloads and executes arbitrary files
Rogue:Win32/Fakeinit contacts one or more servers from which it may download a number of files. As of this writing, some of the servers used are "for-sunny-se.com" and "winter-smile.com".
 
It saves the downloaded files to locations such as the following:
 
  • <system folder>\helpers32.dll
  • <system folder>\ES15.exe
  • <system folder>\41.exe
 
At the time of this writing, Rogue:Win32/Fakeinit downloads two components of fake security software, which are detected as Rogue:Win32/Fakeinit, and a variant of Win32/Alureon, detected as Trojan:Win32/Alureon.CT.
 
It then registers the DLL file, which acts as a Layered Service Provider that may block access to certain Web sites. For more details please refer to the Rogue:Win32/Fakeinit description.
 
Should the user click on the warnings displayed above, Rogue:Win32/Fakeinit copies the downloaded Fakeinit component to <system folder>\<5 digit random number>.exe and executes it to install the fake security software. The fake security software has been observed to use names such as "Internet Security 2010" and "Security Essentials 2010".
 
Terminates processes
Rogue:Win32/Fakeinit monitors running processes and terminates any process from the list below, displaying the following message box in an attempt to convince the user that their system is infected:
 
 
acrord32.exe
advanceddvdplayer.exe
calc.exe
chrome.exe
clonecd.exe
cmd.exe
control.exe
digitaleditions.exe
excel.exe
freecell.exe
fulltiltpoker.exe
gom.exe
googleearth.exe
hrtzzm.exe
icq.exe
illustrator.exe
la.exe
miranda32.exe
moviemk.exe
mplay32.exe
mplayer2.exe
mplayerc.exe
msconfig.exe
mshearts.exe
msimn.exe
msmsgs.exe
msnmsgr.exe
mspaint.exe
msworks.exe
nero.exe
neroexpressportable.exe
nfs.exe
notepad.exe
ois.exe
outlook.exe
photoshop.exe
pinball.exe
pokerstars.exe
powerdvd.exe
powerpnt.exe
powerpoi.exe
quicktimeplayer.exe
realplay.exe
realplayer.exe
recordingmanager.exe
regclonecd.exe
regedit.exe
rstrui.exe
rwcrun.exe
rwiperun.exe
setup_wm.exe
shvlzm.exe
sidebar.exe
skype.exe
skypepm.exe
sndvol32.exe
sol.exe
spider.exe
taskmgr.exe
thebat.exe
tvp.exe
utorrent.exe
vmware.exe
winamp.exe
windowsanytimeupgradeui.exe
windvd.exe
winmine.exe
winrar.exe
winword.exe
wmplayer.exe
word.exe
wupdmgr.exe
 
Disables Task Manager and Phishing Filter, and lowers computer security settings
Rogue:Win32/Fakeinit attempts to disable Internet Explorer’s Phishing Filter by making the following registry changes:
 
Adds value: "Enabled"
With data: "0"
Adds value: "EnabledV8"
With data: "0"
In subkey: HKCU\Software\Microsoft\Internet Explorer\PhishingFilter
 
Adds value: "EnabledV8"
With data: "0"
In subkey: HKLM\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter
 
It attempts to disable Task Manager with the following change:
 
Adds value: "DisableTaskMgr"
With data: "1"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
 
It attempts to place sites used by the particular variant of Win32/Fakeinit into the Trusted Sites Zone:
 
Adds value: "http"
With data: "2"
In subkeys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-security-essentials.com
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-security-essentials.com
 
Adds value: "http"
With data: "2"
In subkeys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\get-key-se10.com
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\get-key-se10.com
 
Adds value: "http"
With data: "2"
In subkeyS:
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ download-soft-package.com
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ download-soft-package.com
 
Adds value: "Flag"
With data: "67"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
 
Analysis by David Wood

Symptoms

System Changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
    • <system folder>\smss32.exe
    • <system folder>\winlogon32.exe
  • The presence of the following registry modifications:
    Adds value: "smss32.exe"
    With data: "<system folder>\smss32.exe"
    In subkeys:
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
     
    Adds value: "Userinit"
    With data: "<system folder>\winlogon32.exe"
    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  • Inability to run Windows Task Manager [available via Ctrl+Alt+Del]
  • Inability to change the Windows Desktop wallpaper from the following image:
 
  • The presence of fake warnings of security threats, for example:
 
 
  • You receive the following warning when you attempt to open certain files:

Prevention


Alert level: Severe
This entry was first published on: Apr 02, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Adware/RealAntivirus (Panda)
  • Fake-XPSecCenter (McAfee)
  • Trojan.Zlob (Symantec)
  • Rogue:Win32/Fakeinit (Microsoft)
  • Security Essentials 2011 (other)