high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 4 April 2008 23:45:57 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/FakeAv-J is fake anti-spyware software for the Windows platform.
Troj/FakeAv-J creates dummy installations of known adware/spyware such as "180solutions" and changes the computer wallpaper to display the following message:
'Warning: Spyware threat has been detected on your PC.
Your computer has several fatal errors due to spyware activity.
It is strongly recommended to install an antispyware software to close all security vulnerabilities.
Antispyware software helps protect your PC against spyware and other security threats.
CLICK HERE TO SCAN YOUR PC FOR SPYWARE...'
When the user clicks the link a web page is opened containing links to download / buy fake antispyware software.
When first run Troj/FakeAv-J copies itself to the Windows system folder as:
<System>\sbwltbxa.exe
and changes/sets the following registry entries to run itself on startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
,<pathname of the Troj/FakeAv-J executable>,
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<pathname of the Troj/FakeAv-J executable>,
The following registry entries are set, disabling system software:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableTaskMgr
1
Troj/FakeAv-J drops the file <Windows>\default.htm and uses it to set the wallpaper by setting the registry entry:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General
Wallpaper
<Windows>\default.htm
|
