From; Sophos Alert System: Name: Troj/FakeAle-D Aliases: TROJ_AGENT.SN, Trojan.Desktophijack, StartPage-DU, Trojan.Downloader.Small-530, Trojan-Downloader.Win32.Agent.le, W32/FakeAlert.L Type: Trojan Date: 3 June 2005 Sophos has issued protection for Troj/FakeAle-D. At the time of writing, Sophos has received no reports from users affected by this Trojan. However, we have issued this advisory following enquiries to our support department from customers. Customers using EM Library, Enterprise Console, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. Information about Troj/FakeAle-D can be found at: http://www.sophos.com/virusinfo/analyses/trojfakealed.html Troj/FakeAle-D is a Windows Trojan. Troj/FakeAle-D includes functionality to change browser settings and display a fake message as your Windows Desktop background image. The image shows a blue screen and the following text: Security warning A fatal error in IE has occured at 0028:C0011E36 in VXD VMM(01) + 00010E36. Error was caused by Trojan-Spy.HTML.Smitfraud.c * System can not function in normal mode. Please check you security settings. * Scan your PC with any avaliable antivirus / spyware remover program to fix the problem. When Troj/FakeAle-D is installed the following files are created: <System>\wldr.dll <Root>\wp.bmp <Root>\wp.exe The file wp.exe is detected as Troj/FakeAle-A. These files may be deleted. The following registry entry is created to run wp.exe on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WindowsFY <Root>\wp.exe The file wldr.dll is registered as a COM object and plugin, creating registry entries under: HKCU\Software\Microsoft\Internet Explorer\Extensions\(random ClassID1) ButtonText Microsoft AntiSpyware helper HKCU\Software\Microsoft\Internet Explorer\Extensions\(random ClassID1) Default Visible No HKCU\Software\Microsoft\Internet Explorer\Extensions\(random ClassID1) HotIcon Shell32.dll,128 HKCU\Software\Microsoft\Internet Explorer\Extensions\(random ClassID1) MenuStatusBar Shell32.dll,241 HKCU\Software\Microsoft\Internet Explorer\Extensions\(random ClassID1) MenuText Microsoft AntiSpyware helper HKCU\Software\Microsoft\Internet Explorer\Extensions\(random ClassID1) ToolTip Microsoft AntiSpyware helper HKCU\Software\Microsoft\Internet Explorer\Extensions\(random ClassID1) ImageFilename Shell32.dll HKCU\Software\Microsoft\Internet Explorer\Extensions\(random ClassID1) clsid (random ClassID1) HKCU\Software\Microsoft\Internet Explorer\Extensions\(random ClassID1) BandCLSID (random ClassID2) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\(random ClassID1) clsid (random ClassID1) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\(random ClassID1) BandCLSID (random ClassID2) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\(random ClassID1) ButtonText Microsoft AntiSpyware helper HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\(random ClassID1) Default Visible No HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\(random ClassID1) HotIcon Shell32.dll,128 HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\(random ClassID1) MenuStatusBar Shell32.dll,241 HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\(random ClassID1) MenuText Microsoft AntiSpyware helper HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\(random ClassID1) ToolTip Microsoft AntiSpyware helper HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\(random ClassID1) ImageFilename (random ClassID4) HKCR\CLSID\(random ClassID1)\InprocServer32 (default) <System>\wldr.dll Registry entries are set as follows: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoActiveDesktopChanges 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System WallpaperStyle 0 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System NoDispBackgroundPage 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System NoDispAppearancePage 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System Wallpaper <Root>\wp.bmp HKCU\Control Panel\Desktop Wallpaper <Root>\wp.bmp HKCU\Software\Microsoft\Internet Explorer\Desktop\Components GeneralFlags 0 HKCU\Control Panel\Colors Background 0 0 0 HKCU\Control Panel\Desktop Wallpaper <Root>\wp.bmp HKCU\Control Panel\Desktop WallpaperStyle 0 Troj/FakeAle-D also changes the following sections in <Windows>\win.ini: [Colors] Background = 0 0 0 [DeskTop] Wallpaper=<Root>\wp.bmp WallpaperStyle=2 The Troj/FakeAle-D virus identity file (IDE) includes detection for: Troj/Dloader-OF http://www.sophos.com/virusinfo/analyses/trojdloaderof.html Troj/Dloader-OH http://www.sophos.com/virusinfo/analyses/trojdloaderoh.html Troj/Dloader-OI http://www.sophos.com/virusinfo/analyses/trojdloaderoi.html W32/Oscabt-Gen http://www.sophos.com/virusinfo/analyses/w32oscabtgen.html Customers with 3.xx or lower versions of Sophos Anti-Virus, who are not running EM Library, can manually download the IDE for Troj/FakeAle-D from: http://www.sophos.com/downloads/ide/fakeal-d.ide Read about how to use IDE files at http://www.sophos.com/support/knowledgebase/article/363.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member