[virusinfo] Troj/FakeAle-D

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Fri, 03 Jun 2005 08:43:19 -0700

From; Sophos Alert System:

Name: Troj/FakeAle-D
Aliases: TROJ_AGENT.SN, Trojan.Desktophijack,  StartPage-DU,
Trojan.Downloader.Small-530, Trojan-Downloader.Win32.Agent.le,
W32/FakeAlert.L
Type: Trojan
Date: 3 June 2005

Sophos has issued protection for Troj/FakeAle-D.

At the time of writing, Sophos has received no reports from
users affected by this Trojan. However, we have issued this
advisory following enquiries to our support department from
customers.

Customers using EM Library, Enterprise Console, PureMessage or
any of our Sophos small business solutions will be automatically
protected at their next scheduled update.


Information about Troj/FakeAle-D can be found at:
http://www.sophos.com/virusinfo/analyses/trojfakealed.html

Troj/FakeAle-D is a Windows Trojan. 
Troj/FakeAle-D includes functionality to change browser settings and display a 
fake message as your Windows Desktop background image. 
The image shows a blue screen and the following text: 
Security warning 
A fatal error in IE has occured at 0028:C0011E36 in VXD VMM(01) +
00010E36. Error was caused by Trojan-Spy.HTML.Smitfraud.c 
* System can not function in normal mode.
Please check you security settings.
* Scan your PC with any avaliable antivirus / spyware remover
program to fix the problem. 
When Troj/FakeAle-D is installed the following files are created: 
<System>\wldr.dll
<Root>\wp.bmp
<Root>\wp.exe 
The file wp.exe is detected as Troj/FakeAle-A. These files may be deleted. 
The following registry entry is created to run wp.exe on startup: 
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WindowsFY
<Root>\wp.exe 
The file wldr.dll is registered as a COM object and plugin, creating registry 
entries under: 
HKCU\Software\Microsoft\Internet Explorer\Extensions\(random ClassID1)
ButtonText
Microsoft AntiSpyware helper 
HKCU\Software\Microsoft\Internet Explorer\Extensions\(random ClassID1)
Default Visible
No 
HKCU\Software\Microsoft\Internet Explorer\Extensions\(random ClassID1)
HotIcon
Shell32.dll,128 
HKCU\Software\Microsoft\Internet Explorer\Extensions\(random ClassID1)
MenuStatusBar
Shell32.dll,241 
HKCU\Software\Microsoft\Internet Explorer\Extensions\(random ClassID1)
MenuText
Microsoft AntiSpyware helper 
HKCU\Software\Microsoft\Internet Explorer\Extensions\(random ClassID1)
ToolTip
Microsoft AntiSpyware helper 
HKCU\Software\Microsoft\Internet Explorer\Extensions\(random ClassID1)
ImageFilename
Shell32.dll 
HKCU\Software\Microsoft\Internet Explorer\Extensions\(random ClassID1)
clsid
(random ClassID1) 
HKCU\Software\Microsoft\Internet Explorer\Extensions\(random ClassID1)
BandCLSID
(random ClassID2) 
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\(random ClassID1)
clsid
(random ClassID1) 
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\(random ClassID1)
BandCLSID
(random ClassID2) 
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\(random ClassID1)
ButtonText
Microsoft AntiSpyware helper 
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\(random ClassID1)
Default Visible
No 
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\(random ClassID1)
HotIcon
Shell32.dll,128 
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\(random ClassID1)
MenuStatusBar
Shell32.dll,241 
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\(random ClassID1)
MenuText
Microsoft AntiSpyware helper 
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\(random ClassID1)
ToolTip
Microsoft AntiSpyware helper 
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\(random ClassID1)
ImageFilename
(random ClassID4) 
HKCR\CLSID\(random ClassID1)\InprocServer32
(default)
<System>\wldr.dll 
Registry entries are set as follows: 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoActiveDesktopChanges
1 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
WallpaperStyle
0 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
NoDispBackgroundPage
1 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
NoDispAppearancePage
1 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Wallpaper
<Root>\wp.bmp 
HKCU\Control Panel\Desktop
Wallpaper
<Root>\wp.bmp 
HKCU\Software\Microsoft\Internet Explorer\Desktop\Components
GeneralFlags
0 
HKCU\Control Panel\Colors
Background
0 0 0 
HKCU\Control Panel\Desktop
Wallpaper
<Root>\wp.bmp 
HKCU\Control Panel\Desktop
WallpaperStyle
0 
Troj/FakeAle-D also changes the following sections in <Windows>\win.ini: 
[Colors]
Background = 0 0 0 
[DeskTop]
Wallpaper=<Root>\wp.bmp
WallpaperStyle=2 
 

The Troj/FakeAle-D virus identity file (IDE) includes detection for:


Troj/Dloader-OF
http://www.sophos.com/virusinfo/analyses/trojdloaderof.html
Troj/Dloader-OH
http://www.sophos.com/virusinfo/analyses/trojdloaderoh.html
Troj/Dloader-OI
http://www.sophos.com/virusinfo/analyses/trojdloaderoi.html
W32/Oscabt-Gen
http://www.sophos.com/virusinfo/analyses/w32oscabtgen.html

Customers with 3.xx or lower versions of Sophos Anti-Virus, 
who are not running EM Library, can manually download the IDE
for Troj/FakeAle-D from:

http://www.sophos.com/downloads/ide/fakeal-d.ide

Read about how to use IDE files at
http://www.sophos.com/support/knowledgebase/article/363.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] Troj/FakeAle-D

1. Home
2. virusinfo
3. Archive
4. 06-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---