Follow:

 

Win32/FakeCog


Microsoft security software detects and removes this threat.

This family of rogue security programs pretend to scan your PC for malware, and often report lots of infections. The program will say you have to pay for it before it can fully clean your PC.

However, the program hasn't really detected any malware at all and isn't really an antivirus or antimalware scanner. It just looks like one so you'll send money to the people who made the program. Some of these programs use product names or logos that unlawfully impersonate Microsoft products.

Even if you do pay to "unlock" the app, it won't do anything because your PC isn't actually infected with all that malware it "found".

Different brands of the rogues may modify various settings on your computer, end or close programs or system services, or block access to websites.

Find out ways that malware can get on your PC.



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

When run, Rogue:Win32/FakeCog creates a registry subkey and its associated entries, for example:

In subkey: HKLM\SOFTWARE\AntiMalware

Sets value: "Settings_0"
With data: "dword:00000000"

Sets value: "SecStatus_3"
With data: "dword:00000001"

Sets value: "SecStatus_4"
With data: "dword:00000001"

Sets value: "SecStatus_5"
With data: "dword:00000001"

Sets value: "FD"
With data: "dword:00000000"

Sets value: "GUID"
With data: "455366164553576845534928"

Sets value: "Data"
With data: ":1830:2040:2145:2250:2355:2460:2670:2775:2880:"

Sets value: "swver"
With data: "1.0"

Sets value: "dbver"
With data: "1.0"

Sets value: "dbsigns"
With data: "61473"

Sets value: "InfectedFiles"
With data: "C:\WINDOWS\System32\olecli.dll,C:\WINDOWS\System32\scrrun.dll,C:\WINDOWS\System32\stclient.dll,C:\WINDOWS\System32\url.dll,C:\WINDOWS\System32\winhttp.dll,C:\WINDOWS\System32\oobe\dtsgnup.htm,C:\WINDOWS\System32\Drivers\cdaudio.sys,C:\WINDOWS\System32\Drivers\sonydcam.sys,C:\Program Files\outlook Express\wab.exe,"

Sets value: "Infected"
With data: "dword:00000009"

We have seen Win32/FakeCog drop two components in the %TEMP% directory.

The first component drops a .dll file with a variable name in the same folder, and injects it into the Windows Explorer process so that it can remain running on your PC.

The second component displays an imitation of the Windows Security Center dialog box and drops an .exe file with a double name extension .tmp.exe (for example, asdf.tmp.exe) in the same folder. This .exe file tries to uninstall legitimate security products that it finds in the system and also installs its own rogue software.

Win32/FakeCog can create desktop shortcuts, for example:

We have also seen Win32/FakeCog download and install variants of the Win32/Alureon family.

Payload

Displays false security alerts and misleading dialogs

The rogue displays false security alerts on the system to encourage you into purchasing its registered version.

It pretends to be the Windows Security Center. It does this in an attempt to convince you to install the rogue, as seen in the image below:

It poses as legitimate software by displaying install messages, as seen below:

It displays a scanner which falsely reports a number of threats in the system:

If you click on the "Activate your copy" button, you might see the following:

Note that the logos on the lower right corner are there to trick you into thinking that the transaction is secure and legitimate. None of these companies are actually affiliated with this program.

The rogue informs you this version is a demo which requires an upgrade:

It also periodically displays a number of dialog boxes and system tray balloons which attempt to convince you to pay money to register the software:

Asks you to uninstall your antivirus software

The rogue can prompt you to remove your legitimate antivirus software. To do this, it shows a message box such as the following:

Pressing OK runs the uninstaller for certain antivirus products. In the above example, it tries to uninstall Microsoft Security Essentials.

Connects to remote sites and downloads files

Win32/FakeCog can download encrypted files from remote sites. The encrypted files can contain data or could be malware.

Disables task manager

Some variants of Win32/FakeCog have been observed disabling Task Manager by making the following registry modifications:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableTaskMgr"
With data: "1"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
Sets value: “DisableTaskMgr"
With data: "1”

Analysis by Francis Allan Tan Seng and Gilou Tenebro


Symptoms

The following could indicate that you have this threat on your PC:

  • The presence of the following registry subkey:

    HKLM\SOFTWARE\AntiMalware
  • The display of the following images:



 
 
 
 
 
 

Prevention


Alert level: Severe
This entry was first published on: Sep 15, 2010
This entry was updated on: Aug 06, 2014

This threat is also detected as:
  • CoreGuard Antivirus 2009 (other)
  • Dr.Guard (other)
  • Digital Protection (other)
  • Your Protection (other)
  • Protection Center (other)
  • Defense Center (other)
  • Anvi Antivirus (other)
  • Data Protection (other)
  • AntiMalware (other)
  • Malware Defense (other)
  • Paladin Antivirus (other)
  • User Protection (other)
  • Protection Center (other)
  • AntiVirus (other)