FakeAlert-AVPSec.e

FakeAlert-AVPSec.e Description

FakeAlert-AVPSec.e is a Trojan that can silently install itself onto a user's computer. On penetrating a system, FakeAlert-AVPSec.e will simulate a fake system scan and report the detection of dangerous malware. This scare tactic is used to coerce users into purchasing rogue security software. FakeAlert-AVPSec.e will also make modifications to the system registry and create a start-up registry entry.

Technical Information

File System Details

FakeAlert-AVPSec.e creates the following file(s):
# File Name Detection Count
1 c:\Documents and Settings\%user%\Local Settings\Temp\packupdate_build107_328.exe N/A
2 c:\Documents and Settings\All Users\Application Data\b45b499\MSb45b.exe N/A
3 c:\Documents and Settings\%user%\Application Data\My Security Engine N/A
4 c:\Documents and Settings\All Users\Application Data\b45b499\BackUp\Adobe Reader Speed Launch.lnk N/A
5 c:\Documents and Settings\%user%\Application Data\Microsoft\Internet Explorer\Quick Launch\My Security Engine.lnk N/A
6 c:\Documents and Settings\%user%\Start Menu\My Security Engine.lnk N/A
7 c:\Documents and Settings\All Users\Application Data\MSTLDEE N/A
8 c:\Documents and Settings\All Users\Application Data\b45b499\MSE.ico N/A
9 c:\Documents and Settings\All Users\Application Data\MSTLDEE\MSHIBFFJWSE.cfg N/A
10 c:\Documents and Settings\%user%\Desktop\My Security Engine.lnk N/A
11 c:\Documents and Settings\All Users\Application Data\b45b499 N/A
12 c:\Documents and Settings\All Users\Application Data\b45b499\3411.mof N/A
13 c:\Documents and Settings\All Users\Application Data\b45b499\MSESys\vd952342.bd N/A
14 c:\Documents and Settings\%user%\Application Data\My Security Engine\Instructions.ini N/A
15 c:\Documents and Settings\%user%\Start Menu\Programs\My Security Engine.lnk N/A

Registry Details

FakeAlert-AVPSec.e creates the following registry entry or registry entries:
RegistryKey
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Image File Execution
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer [IIL] Data: 00, 00, 00, 00
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer [PRS] Data: http://127.0.0.1:27777/?inj=%ORIGINAL%
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run [My Security Engine] Data: MSb45b.exe /s /d
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall Policy\StandardProfile\AuthorizedApplications\List [MSb45b.ex] Data: MSb45b.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG
HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes [URL] Data: http://find[removed].com/?&uid=328&q={searchTerms}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer [ltTST] Data: A5, 81, 00, 00
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download [RunInvalidSignatures] Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\Firewall Policy\StandardProfile\AuthorizedApplications\List [MSb45b.exe] Data: MSb45b.exe
HKEY_CURRENT_USER\Software\3 HKEY_CLASSES_ROOT\MSb45b.DocHostUIHandler
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes [URLs] Data: http://find[removed].com/?&uid=328&q={searchTerms}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer [ltHI] Data: 00, 00, 00, 00
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation [MSCompatibilityMode] Data: 00, 00, 00, 00
HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF} [(Default)] Data: Implements DocHostUIHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce