Spyware Detail

Summary

Antivirus XP 2008 is a component of the FakeAlert family of trojans, closely related to a variety of other malware families CA detects (like the Bugnraw and Tibser families). It follows in a long line of schemes to exort money from innocent computer users via multicomponent malware. The FakeAlert family is one part trojan, one part downloader, and one part rogue security product. All components work in tandem to trick users out of money. The downloader pulls down various code and installs a rogue security product. The most recent, and unfortunately most prolific, rogue security product to be installed is "Antivirus XP 2008", but that could change. Past downloads have included rogue security products like Antivirus 2009, WinFixer 2006 and Malware Protector 2008. Most variants hijack the user's desktop and screensaver. They also use what look like legitimate Windows alerts (balloon windows), but are actually fake alerts, to scare the user into thinking they are infected with spyware. Unfortunately, the actual infection is FakeAlert and related components. The same alerts offer a remedy to the infection, a rogue security product, that will remove the "spyware" for a fee. The entire scheme is meant to get your money. All components need to be removed to neutralize the threat.

Additional characteristics of this threat:

-the threat uses semi-polymorphic file names
-the threat is not self-replicating (non-viral) and must be "manually" installed
-the threat is multi-component

This threat alters the users desktop and registry. To restore the system’s background and screensaver, the user has to manually edit the registry as below after performing a full scan with CA Anti-Spyware:
Warning: CA encourages users to back up their registry before making any changes. To backup the registry, please refer to Microsoft’s page here. The registry is critical to the proper function of the operating system and incorrect changes can result in a variety of problems like the loss data, dysfunctional programs, etc.

1. Click Start
2. Click Run
3. Type regedit
4. Click OK.
5. Navigate to the following registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

Delete the following registry values under this subkey:

• "NoDispBackgroundPage"
• "NoDispScrSavPage"

6. Navigate to and delete the following registry subkey:

HKEY_CURRENT_USER\Software\Sysinternals\Bluescreen Screen Saver

7. Navigate to the following registry key:

HKEY_CURRENT_USER\Control Panel\Colors

And set the value data of the following value to null by clicking on it and deleting its contents:

"Background"

8. Exit the Registry Editor.
After performing the above steps, the Desktop and Screen Saver tabs should be visible in Display Properties window (Right click on desktop and then click on Properties from Context Menu). From here, the user can restore any previous wallpaper/screensaver settings.

Alias

FraudTool.Win32.XPAntivirus.lq [Kaspersky]
FraudTool.Win32.AntivirusXP2008 [Kaspersky]
Trojan.Blusod [Symantec]
Trojan:Win32/XPAntiVirus [MS OneCare]
TROJ_FAKEAV [TREND]
Generic PUP [McAfee]

Category

Rogue Security Software:  Security software that uses deceptive means for installation and purpose. Once installed, the rogue software usually uses scare tactics to inform the user that spyware or malware is installed on their system. The rogue security software then claims to offer remediation in exchange of payment. These applications can come bundled with other malware that serve other purposes. This software usually comes in the form of Anti-spyware, or Anti-virus applications.

View Full Details