Installation
Internet Security 2010 and Security Essentials 2010
Win32/Fakeinit might be downloaded and installed by Rogue:Win32/Fakeinit. When run, it copies itself to a subfolder of the %ProgramFiles% folder. For example, the variant calling itselfSecurity Essentials 2010 copies itself to %ProgramFiles%\Securityessentials2010\SE2010.exe, while Internet Security 2010 copies itself to %ProgramFiles%\internetsecurity2010\is2010.exe.
It creates a registry entry to make sure it runs every time Windows starts, for example:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Security essentials 2010"
With data: "%ProgramFiles%\Securityessentials2010\SE2010.exe"
or
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Internet Security 2010"
With data: "%ProgramFiles%\internetsecurity2010\is2010.exe"
Win32/Fakeinit also installs a DLL component, which might be present in the PC as <system folder>\helpers32.dll.
It also creates a desktop shortcut and adds itself to the Start Menu, as in the examples below:
When run, Win32/Fakeinit might display a splash screen like the following:
Antivirus XP Pro
When Win32/Fakeinit is distributed as Antivirus XP Pro, it is installed in the folder %ProgramFiles%\antivirusxp\antivirusxp.exe.
It also creates a program shortcut named antivirusxp.lnk in the following locations:
The shortcut might look like:
It also changes the system registry so that it runs every time Windows starts:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "AntivirusXP.exe"
With data: "%ProgramFiles%\antivirusxp\antivirusxp.exe"
Win32/Fakeinit's downloader component, detected as Rogue:Win32/Fakeinit, copies itself to <system folder>\smss32.exe and <system folder>\winlogon32.exe. It also creates files named <system folder>\warnings.html and %APPDATA%\Microsoft\Internet Explorer\Desktop.htt. These two files might be detected as Rogue:HTML/Fakeinit.
It might make the following registry changes to ensure that it is run every time Windows starts:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "smss32.exe"
With data: "<system folder>\smss32.exe"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "smss32.exe"
With data: "<system folder>\smss32.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Userinit"
With data: "<system folder>\winlogon32.exe"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Security essentials 2010"
With data: "%ProgramFiles%\Securityessentials2010\SE2010.exe"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Internet Security 2010"
With data: "%ProgramFiles%\internetsecurity2010\is2010.exe"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "weukkkksds.cfg"
With data: "%APPDATA%\Antivirus Antispyware 2011\AS2011.exe"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "updatesst"
With data: "%APPDATA%\Security Essentials Ultimate Pack\SecEls.exe"
When run, the fake scanner component, also detected as Rogue:Win32/Fakeinit, might copy itself to a subfolder of the %ProgramFiles% or %APPDATA% folder. For example:
- The variant calling itself Security Essentials 2010 copies itself to %ProgramFiles%\Securityessentials2010\SE2010.exe
- The variant calling itself Internet Security 2010 copies itself to %ProgramFiles%\internetsecurity2010\is2010.exe
- The variant calling itself Antivirus AntiSpyware 2011 copies itself to %APPDATA%\antivirus antispyware 2011\as2011.exe
- The variant calling itself Security Essentials Ultimate Pack copies itself to %APPDATA%\Security Essentials Ultimate Pack\SecEls.exe
Some variants might also create a configuration file with a gibberish-sounding file name, like %APPDATA%\Security Essentials Ultimate Pack\sejwtkvls\seddzryygzls.cfg
Payload
Acts as a fake antivirus scanner
Win32/Fakeinit displays a scanner, which falsely reports that you have nonexistent threats in your PC. It also shows dialogue boxes and system tray balloons to try and convince you that your PC is infected with a number of malware. It then advises you to pay for software to get rid of these non-existent threats:
If tyou click on the Activate button, a browser window opens, which displays a site from which you can pay to activate the program. One such website is buy-security-essentials.com.
Blocks access to certain websites
Win32/Fakeinit has a DLL component that monitors TCP traffic used by applications with the following file names, which are mostly file names for browsers:
-
chrome.exe
-
csrss.exe
-
firefox.exe
-
flock.exe
-
iexplore.exe
-
opera.exe
-
safari.exe
-
svchost.exe
If the traffic is to a domain from a defined list, it might block access to the site, instead displaying the following image:
At the time of publication, one sample of Fakeinit was observed blocking the following sites:
-
adultfriendfinder.com
-
amazon.com
-
ask.com
-
bbc.co.uk
-
bebo.com
-
bing.com
-
blogger.com
-
craigslist.org
-
digg.com
-
ebay.com
-
facebook.com
-
flickr.com
-
foxnews.com
-
go.com
-
godaddy.com
-
guardian.co.uk
-
hulu.com
-
imageshack.us
-
linkedin.com
-
live.com
-
livejasmin.com
-
livejournal.com
-
mapquest.com
-
monster.com
-
mozilla.com
-
myspace.com
-
mywebsearch.com
-
nytimes.com
-
photobucket.com
-
pornhub.com
-
rapidshare.com
-
redtube.com
-
thepiratebay.org
-
tube8.com
-
twitter.com
-
washingtonpost.com
-
weather.com
-
wikipedia.org
-
wordpress.com
-
xvideos.com
-
youporn.com
-
youtube.com
Downloads and runs files
Fakeinit contacts one or more servers from which it might download files. Servers used at the time of publication include:
-
for-sunny-se.com
-
winter-smile.com
It saves the downloaded files to locations like:
Some of these files might be detected as other malware. One sample that we saw downloaded, along with Rogue:Win32/Fakeinit, a variant of Win32/Alureon detected as Trojan:Win32/Alureon.CT.
Stops processes
Fakeinit monitors running processes and stops any process from a specified list, displaying the following message box to try and convince you that your PC is infected with non-existent malware:
In the wild, we have observed some variants of Win32/Fakeinit stopping the following processes:
-
accesschk.exe
-
AccessEnum.exe
-
acdseepro3.exe
-
acdseepro4.exe
-
AcroRd32.exe
-
ADExplorer.exe
-
ADInsight.exe
-
adrestore.exe
-
AdvancedDVDPlayer.exe
-
aim.exe
-
arp.exe
-
at.exe
-
Autologon.exe
-
autoruns.exe
-
autorunsc.exe
-
Bginfo.exe
-
bitcomet.exe
-
bitspirit.exe
-
bittorrent.exe
-
Cacheset.exe
-
calc.exe
-
chrome.exe
-
Clockres.exe
-
CloneCD.exe
-
cmd.exe
-
cmdkey.exe
-
PCdefaults.exe
-
conhost.exe
-
Contig.exe
-
control.exe
-
Coreinfo.exe
-
ctrl2cap.exe
-
Dbgview.exe
-
defragui.exe
-
Desktops.exe
-
DevicePairingWizard.exe
-
digitaleditions.exe
-
disk2vhd.exe
-
diskext.exe
-
Diskmon.exe
-
DiskView.exe
-
dmaster.exe
-
du.exe
-
dxdiag.exe
-
efsdump.exe
-
eventvwr.exe
-
EXCEL.exe
-
excel.exe
-
far.exe
-
fdm.exe
-
find.exe
-
flashget.exe
-
freecell.exe
-
ftp.exe
-
FullTiltPoker.exe
-
GOM.exe
-
GoogleEarth.exe
-
handle.exe
-
help.exe
-
hex2dec.exe
-
hrtzzm.exe
-
Icq.exe
-
icq.exe
-
Illustrator.exe
-
infium.exe
-
ipconfig.exe
-
isoburn.exe
-
journal.exe
-
junction.exe
-
LA.exe
-
ldmdump.exe
-
Listdlls.exe
-
livekd.exe
-
LoadOrd.exe
-
logonsessions.exe
-
miranda32.exe
-
mirandaim.exemmc.exe
-
movefile.exe
-
moviemk.exe
-
mplay32.exe
-
mplayer2.exe
-
mplayerc.exe
-
msaccess.exe
-
msconfig.exe
-
mshearts.exe
-
msiexec.exe
-
msmsgs.exe
-
MsnMsgr.Exe
-
msnmsgr.exe
-
mspaint.exe
-
mspub.exe
-
MSWorks.exe
-
Nero.exe
-
NeroExpressPortable.exe
-
netsh.exe
-
netstat.exe
-
nfs.exe
-
notepad.exe
-
nslookup.exe
-
ntfsinfo.exe
-
OIS.exe
-
ois.exe
-
outlook.exe
-
pagedfrg.exe
-
pendmoves.exe
-
Photoshop.exe
-
picasaphotoviewer.exe
-
pinball.exe
-
ping.exe
-
pipelist.exe
-
PokerStars.exe
-
portmon.exe
-
powercfg.exe
-
PowerDVD.exe
-
POWERPNT.exe
-
powerpnt.exe
-
POWERPOI.exe
-
powershell.exe
-
procdump.exe
-
procexp.exe
-
procexp64.exe
-
ProcFeatures.exe
-
psexec.exe
-
psfile.exe
-
psgetsid.exe
-
Psinfo.exe
-
pskill.exe
-
pslist.exe
-
psloggedon.exe
-
psloglist.exe
-
pspasswd.exe
-
psservice.exe
-
psshutdown.exe
-
pssuspend.exe
-
qip2010.exe
-
QuickTimePlayer.exe
-
realplay.exe
-
RealPlayer.exe
-
RecordingManager.exe
-
reg.exe
-
RegCloneCD.exe
-
RegDelNull.exe
-
regedit.exe
-
regedt32.exe
-
reget.exe
-
regetdx.exe
-
regjump.exe
-
resmon.exe
-
RootkitRevealer.exe
-
route.exe
-
rstrui.exe
-
RwcRun.exe
-
RWipeRun.exe
-
sdelete.exe
-
setup_wm.exe
-
ShareEnum.exe
-
ShellRunas.exe
-
shvlzm.exe
-
sidebar.exe
-
sigcheck.exe
-
Skype.exe
-
skype.exe
-
skypePM.exe
-
sndvol32.exe
-
sol.exe
-
spider.exe
-
streams.exe
-
strings.exe
-
sync.exe
-
taskhost.exe
-
taskkill.exe
-
tasklist.exe
-
taskmgr.exe
-
tcpvcon.exe
-
Tcpview.exe
-
telnet.exe
-
thebat.exe
-
totalcmd.exe
-
tracert.exe
-
trillian.exe
-
tvp.exe
-
uTorrent.exe
-
utorrent.exe
-
vmmap.exe
-
vmware.exe
-
Volumeid.exe
-
whois.exe
-
winamp.exe
-
WindowsAnytimeUpgradeUI.exe
-
windvd.exe
-
winmail.exe
-
winmine.exe
-
Winobj.exe
-
WinRAR.exe
-
WINWORD.exe
-
winword.exe
-
wmplayer.exe
-
word.exe
-
wow.exe
-
wscript.exe
-
wupdmgr.exe
-
ypager.exe
-
ZoomIt.exe
Disables Task Manager and Phishing Filter, and lowers security settings
Fakeinit tries to disable Internet Explorer's phishing filter by making the following registry changes:
In subkey: HKCU\Software\Microsoft\Internet Explorer\PhishingFilter
Sets value: "Enabled"
With data: "0"
Sets value: "EnabledV8"
With data: "0"
In subkey: HKLM\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter
Sets value: "EnabledV8"
With data: "0"
It tries to disable Task Manager with the following change:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableTaskMgr"
With data: "1"
It tries to place sites used by the particular variant of Win32/Fakeinit into the Trusted Sites Zone by making a number of additional changes, like those displayed in the following example:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-security-essentials.com
Sets value: "http"
With data: "2"
Analysis by David Wood