Follow:

 

TrojanDownloader:Win32/FakeVimes


TrojanDownloader:Win32/FakeVimes is a downloading component of Win32/FakeVimes - a family of programs that claims to scan for malware and displays fake warnings of “malicious programs and viruses”. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats.
 
Special Note:
Reports of Rogue Antivirus programs have been more prevalent as of late.  These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software.  Some of these programs may display product names or logos in an apparently unlawful attempt to impersonate Microsoft products. 
 
Use Microsoft Windows Defender, the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742), or another up-to-date scanning and removal tool to detect and remove these threats and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.


What to do now

Use Microsoft Windows Defender, Microsoft Security Essentials, the Microsoft Safety Scanner, or another up-to-date scanning and removal tool to detect and remove this threat and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.

Threat behavior

TrojanDownloader:Win32/FakeVimes is a downloading component of Win32/FakeVimes - a family of programs that claims to scan for malware and displays fake warnings of “malicious programs and viruses”. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats.
Installation
Members of the Win32/FakeVimes family use various filenames and system modifications that can differ from one variant to the next. Win32/FakeVimes  has been distributed with several different names. The user interface and some other details vary to reflect each variant’s individual branding.
 
When executed TrojanDownloader:Win32/FakeVimes copies itself using a variable file name to the %temp% folder and sets the following registry entry to ensure its execution on Windows start.
Adds value: <variable value>
With data: <%temp%\TrojanDownloader:Win32/FakeVimes executable>
To subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Payload
Downloads and executes arbitrary files
TrojanDownloader:Win32/FakeVimes has been observed downloading other components of Win32/FakeVimes in the wild. These components may be detected as Trojan:Win32/FakeVimes. While downloading and installing these additional components, TrojanDownloader:Win32/FakeVimes may display one of the following messages, for example:
 
The downloaded file is saved to the following location with a filename that differs according to distribution:
C:\Documents and Settings\All Users\Application Data\<random value>\<Rogue Name.exe>
For example:
C:\Documents and Settings\All Users\Application Data\ff3ce05\UA2009.exe
 
Modifies hosts file
Win32/Fakevimes modifies the Windows Hosts file. The local Hosts file overrides the DNS resolution of a web site URL to a particular IP address. Malicious software may make modifications to the Hosts file in order to redirect specified URLs to different IP addresses. Malware often modifies an affected machine's hosts file in order to stop users from accessing websites associated with particular security-related applications (such as antivirus for example). Win32/Fakevimes may modify the Hosts file to redirect search domains to a different site, as in the following examples:
 
206.53.61.77 search.msn.com
206.53.61.77 search.live.com
206.53.61.77 google.com
206.53.61.77 search.yahoo.com
 
Modifies system settings
Attempts to disable UAC (User Account Control) prompts by modifying the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
 
Contacts remote host
TrojanDownloader:Win32/FakeVimes reports information about the settings of affected machines and successful installations to a remote host. In the wild it has been observed contacting the following host for this purpose:
updvmfnow.cn
Additional Information
For more information, please see the Trojan:Win32/FakeVimes description elsewhere in the encyclopedia.

Analysis by Ray Roberts

Symptoms

System Changes
Symptoms vary among different distributions of TrojanDownloader:Win32/FakeVimes, however, the presence of the following system changes (or similar) may indicate the presence of this program:
  • Display of the following images/dialogs, or similar (for example):

Prevention


Alert level: Severe
This entry was first published on: May 12, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
No known aliases