Antispyware Soft is a variant of
Win32/FakeSpypro - a family of programs that claims to scan for malware and displays fake warnings of “malicious programs and viruses”. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats.
Installation
Trojan:Win32/FakeSpypro may be installed from the program's web site or by social engineering from third party web sites.
When distributed as Antispyware Soft, Win32/FakeSpypro creates a folder under %USERPROFILE%\Local Settings\Application Data with a randomly generated name and copies the fake scanner with a random file name into this folder, as in the following example:
%USERPROFILE%\Local Settings\Application Data\upgkhjyxs\xaxiinjtssd.exe
Note - %USERPROFILE% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Documents and Settings\<user> or C:\Users\<user>; and for XP, Vista, and 7 is C:\Users\<user name>.
The registry is modified to ensure that the fake scanner is executed at each Windows start.
Adds value: "<random letters>" (for example, "fqjxtoxp")
With data: "%USERPROFILE%\Local Settings\Application Data\upgkhjyxs\xaxiinjtssd.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "<random letters>" (for example, "fqjxtoxp")
With data: "%USERPROFILE%\Local Settings\Application Data\upgkhjyxs\xaxiinjtssd.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
It also creates the following registry subkeys for its own use:
HKCU\Software\AVSuite
HCKU\Software\avsoft
Payload
Displays false/misleading malware alerts
When run, the malware performs a fake scan of the system, and falsely claims that a number of files on the system are infected with malware. Should users request that Antispyware Soft clean the reported infections, the program advises them that they need to pay money to register in order for it to do so.
Please see below for examples of interface, fake alerts, false scanning results, and pop ups used by Win32/FakeSpypro when distributed as Antispyware Soft:
Payload
Lowers computer security settings
Trojan:Win32/FakeSpypro modifies Windows settings that lower computer security, for example, it:
- Disables the warning message displayed when downloading executables that are not digitally signed
Adds value: "CheckExeSignatures"
With data: "no"
To subkey: HKCU\Software\Microsoft\Internet Explorer\Download
- Adds executable files as a "low risk file type" such that a warning message is not displayed when downloading files with extension ".exe"
Adds value: "LowRiskFileTypes"
With data: "2E 00 65 00 78 00 65 00 00 00" (".exe")
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
- Allows software to run or install even if the signature is invalid
Adds value: "RunInvalidSignatures"
With data: "1"
To subkey: HKCU\Software\Microsoft\Internet Explorer\Download
- Prevents Windows from zone-marking files when downloaded from the Internet
Adds value: "SaveZoneInformation"
With data: "”1”
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
Blocks executables from running
Trojan:Win32/FakeSpypro blocks any executable from running and displays a misleading message that the requested application is infected.
The Trojan can display the following alert as a pop-up and in the system tray.
Blocks Web browsing
Trojan:Win32/FakeSpypro modifies the registry so that the trojan runs as its own proxy server to manage Internet browsing.
Adds value: "ProxyServer"
With data: "http=127.0.0.1:5555"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
The trojan allows the user to run a Web browser such as Internet Explorer, but any attempts to visit Web sites result in the display of a false "Internet Explorer Warning" message such as the following:
Promotes purchase via Windows Security Center
Trojan:Win32/FakeSpypro launches Windows Security Center and re-directs the user to the trojan's own purchase Web site if the user clicks the "How does antivirus software help protect my computer” hyperlink in the "Virus Protection" section.
If the user clicks the “Recommendations…” button, the "Recommendation" window is displayed. If the user clicks any of the hyperlinks displayed in the Window below, Trojan:Win32/FakeSpypro will launch Internet Explorer and visit the site "protect-ware.net" to recommend purchasing the rogue.
At the time of writing, Trojan:Win32/FakeSpypro redirected to "protect-ware.net" to recommend purchasing the rogue, as seen in the image below.
Displays pop ups
This distribution of Trojan:Win32/FakeSpypro periodically launches Internet Explorer and connects to one of the websites listed below, some of which include content of a sexually explicit nature.
www.viagra.com
www.porno.org
www.porno.com
www.adult.com
The following alert is also displayed along with these pop ups:
Downloads and executes arbitrary files
This distribution of Trojan:Win32/FakeSpypro can download an executable file onto the affected computer. At the time of writing, the downloaded file was detected as the threat Backdoor:Win32/Nuwar.A.
Analysis by Amir Fouda and Patrick Nolan