Win32/TrojanDownloader.FakeAlert [Threat Name] go to Threat

Win32/TrojanDownloader.FakeAlert.BGV [Threat Variant Name]

Category trojan
Size 133120 B
Detection created Nov 29, 2010
Detection database version 10135
Aliases TrojanDownloader:Win32/Renos.PT (Microsoft)
  Downloader-CEW.au (McAfee)
  Trojan.FakeAV!gen63 (Symantec)
Short description

Win32/TrojanDownloader.FakeAlert.BGV is a trojan that prevents access to certain web sites and reroutes traffic to certain IP addresses.

Installation

When executed, the trojan copies itself into the following location:

  • %windir%\­%variable%.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "(Default)" = "%windir%\­%variable%.exe"

A string with variable content is used instead of %variable% .


The trojan schedules a task that causes the following file to be executed repeatedly:

  • %windir%\­%variable%.exe

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "Disable script debugger" = "yes"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones]
    • "1601" = 0

After the installation is complete, the trojan deletes the original executable file.

Other information

The Win32/TrojanDownloader.FakeAlert.BGV acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (8) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • block access to specific websites
  • open a specific URL address

The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.


The trojan checks for Internet connectivity by trying to connect to the following addresses:

  • wikileaks.org
  • articlesbase.com
  • 10086.cn

The trojan keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­Software\­W1WIWQ1NPG]

It can send various information about the infected computer.

Please enable Javascript to ensure correct displaying of this content and refresh this page.