© 2008 System-Protector.com All Rights Reserved.
Bit Defender | Kaspersky | ESET NOD32 | AVG Antivirus | F-Secure Antivirus | Trend Micro | McAfee VirusScan | Norton antivirus | CA Antivirus | Norman Antivirus | G DATA Antivirus | Panda Antivirus | AVAST Antivirus | F-Prot antivirus | PC Tools Antivirus | Webroot Antivirus | ViRobot
Latest in trend:
» viruses
Win32/FakeAV Family
What is Win 32/Fake AV Family?
Win32/FakeAV is a family of trojans disguised as legitimate anti-virus and anti-spyware software. FakeAV variants prompt the user with false warnings, popups, and fake scan results, and may also download additional malware.
Aliases
Downloader.Win32.Agent (Kaspersky)FakeAlert (McAfee)
Trojan.Desktophijack (Symantec)
Troj/FakeAV (Sophos)
Trojan.Fakeavalert (Symantec)
TrojanDownloader:Win32/FakeRean (MS OneCare)
Troj/FakeVir (Sophos)
TROJ_PAKES (Trend)
VirusRemover2008 (Symantec)
TrojanDownloader:Win32/Renos (MS OneCare)
TROJ_RENOS (Trend)
TROJ_SMALL (Trend)
FraudTool.Win32.VirusRemover (Kaspersky)
FraudTool.Win32.XPAntivirus (Kaspersky)
How does it affect your PC?
Win32/FakeAV variants are usually downloaded onto a system by Win32/FakeAlert and Win32/Bugnraw variants. Upon execution, Win32/FakeAV variants usually create an entry in the Start Menu and a desktop shortcut like those below:
%Documents and Settings%\<username>\Desktop\XP Antivirus 2008.lnk
%Documents and Settings%\<username>\Start Menu\XP Antivirus 2008\Uninstall XP Antivirus 2008.lnk
%Documents and Settings%\<username>\Start Menu\XP Antivirus 2008\XP Antivirus 2008.lnk
%Documents and Settings%\All Users\Start Menu\Programs\XP_Antispyware\Uninstall.lnk
%Documents and Settings%\All Users\Start Menu\Programs\XP_Antispyware\XP_Antispyware.lnk
Note: %Documents and Settings% is a variable location and refers to the location of the Documents and Settings folder. The malware determines the location of the current Documents and Settings folder by querying the operating system. A typical location for this folder is C:\Documents and Settings.
Downloads Additional Malware
Win32/FakeAV variants download and execute other malware by connecting to any of the following domains:
antivirus-database.com
do-fixed-progress.com
do-managedscan.com
do-monster-progress.com
do-monster-scan.com
do-power-scan.com
do-step-scan.com
domake-progress.com
domanaged-scan.com
domonster-progress.com
dopower-scan.com
doscan-progress.com
dostep-scan.com
down-soft-index.com
download-soft-index.com
fastupdateservice.com
virusremover2008.com
www.anti-virusxp2008.net
www.xp-guard.com
xp-antispyware-2009.com
xp-antispyware2009.com
xp-as-2009.com
xp-as2009.com
xpantispyware-2009.com
xpantivirus-scanner.com
xpantivirus.com
xpantiviruspro.com
xpas-2009.com
xpas2009.com
Displays Fake Warnings
Win32/FakeAV variants display various imitations of the Windows Security Center and Windows Security Alerts, tricking users into enabling and buying the rogue anti-virus program
Displays Popups
FakeAV also reports deceiving messages using menu balloon pop ups with messages.
How to remove Fake AV Family?
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations