Mal/FakeAV-BT

Category: Viruses and Spyware Protection available since:26 Nov 2009 18:13:05 (GMT)
Type: Malicious behavior Last Updated:13 Jul 2010 07:18:06 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Mal/FakeAV-BT is a family of fake anti-virus programs, also known as 'scareware', and the Trojans which install them. As of April 2010 there are over 20,000 known members of this family.

Mal/FakeAV-BT is distributed by various means, including messaging and email.

Members of the Mal/FakeAV-BT family typically display some or all of the following behaviors:
 - run automatically
 - copy itself to the <Windows> or <System> folder
 - install other malware in the <Windows> or <System> folder
 - access the internet and communicate with a remote server via HTTP
 - add registry entries to run malware automatically

Members of Mal/FakeAV-BT have been known to copy themselves to the
following locations:

<User>\Application Data\Microsoft\Windows Defender\av.exe
<User>\Application Data\Microsoft\Windows Defender\ave.exe
<User>\Application Data\Microsoft\Windows Defender\MSASCui.exe
<User>\Application Data\Microsoft\Windows Defender\vma.exe
<User>\Application Data\av.exe
<User>\Application Data\ave.exe
<User>\Application Data\avG\av.exe
<User>\Application Data\avG\ave.exe
<User>\Application Data\avG\MSASCui.exe
<User>\Application Data\avG\vma.exe
<User>\Application Data\MSASCui.exe
<User>\Application Data\vma.exe
<User>\Local Settings\Application Data\Microsoft\Windows Defender\av.exe
<User>\Local Settings\Application Data\Microsoft\Windows Defender\ave.exe
<User>\Local Settings\Application Data\Microsoft\Windows
Defender\MSASCui.exe
<User>\Local Settings\Application Data\Microsoft\Windows Defender\vma.exe
<User>\Local Settings\Application Data\av.exe
<User>\Local Settings\Application Data\ave.exe
<User>\Local Settings\Application Data\avG\av.exe
<User>\Local Settings\Application Data\avG\ave.exe
<User>\Local Settings\Application Data\avG\MSASCui.exe
<User>\Local Settings\Application Data\avG\vma.exe
<User>\Local Settings\Application Data\MSASCui.exe
<User>\Local Settings\Application Data\vma.exe
<User>\Templates\av.exe
<User>\Templates\ave.exe
<User>\Templates\avG\av.exe
<User>\Templates\avG\ave.exe
<User>\Templates\avG\MSASCui.exe
<User>\Templates\avG\vma.exe
<User>\Templates\MSASCui.exe
<User>\Templates\vma.exe
<Temp>\av.exe
<Temp>\ave.exe
<Temp>\avG\av.exe
<Temp>\avG\ave.exe
<Temp>\avG\MSASCui.exe
<Temp>\avG\vma.exe
<Temp>\MSASCui.exe
<Temp>\vma.exe

And set the following registry entries, affecting internet security:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
DoNotAllowExceptions
0x00000000

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
DisableNotifications
0x00000001

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
DoNotAllowExceptions
0x00000000

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
DisableNotifications
0x00000001

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy