Installation
Win32/FakeScanti is typically downloaded and installed by an installer component, also detected as Win32/FakeScanti. This downloads a self-extracting archive to somewhere in your PC like:
It extracts the files into your PC. The installer component that runs one of the extracted files to run Win32/FakeScanti:
Note that some of the extracted files might include clean Microsoft DLL files, which this threat needs to run properly.
The installer also adds a shortcut to the Start menu, and a desktop shortcut that might like the following:
Once the installer has completed, it deletes itself.
When first run, Win32/FakeScanti extracts files to the %ProgramFiles% folder, with names like the following:
- alggui.exe
- adc32.dll or adc_w32.dll
- svchost.exe
or
- conhost.exe
- csrss.exe
- shk_v10.dll
Earlier variants extract their files as any of these files in your PC:
They would then drop thes files into the same folder in which it had extracted files earlier:
- wf.conf
- OpenCloud Antivirus.ico
It might periodically rewrite some of these files to prevent them from being removed.
It also writes a self-extracting archive to a file like %ProgramFiles%\<product name>\tmp\dbsinit.exe. The contents of the file are extracted and moved to one of these folders:
The extracted file consist of an HTML file and a number of image files, which are used to create an image of a fake Security Center window (see Payload below). The HTML file and archive might be detected as Win32\FakeScanti.
This threat might also write configuration information to the following files:
Earlier versions might use these file names:
Payload
Displays fake antivirus scanner
When run, the malware dos a fake scan of the system, and falsely claims that files in your PC are infected with malware. If you want to remove these fake threats, it says, you need to register your program and pay them money.
When a fake scan "finishes", this threat displays a message like this:
Trying to repair the files will result in the display of dialog boxes like these:
You might see this dialog box if scanning is interrupted:
If you don't want to activate the product, it shows you this:
If you start the activation process, it displays a page with this banner:
Shows fake Windows Security Center
This threat periodically displays a window that's intended to imitate the Windows Security Center. Clicking on any of the links in this window causes the fake scanner to be re-launched:
Prevents other files from running
If you try to run other applications, this threat tries to prevent this from happening. It displays a message box with the following message:
It does this by adding a registry entry like the following:
In subkey: HKLM\SOFTWARE\Classes\exefile\shell\open\command
Sets value: "(default)"
With data: "%ProgramFiles%\alggui.exe "%1" %*"
This associates files with an EXE extension with the FakeScanti component alggui.exe. Whenever you try to run an executable file, alggui.exe is run instead, with the name of the executable passed to it as a command line parameter.
This threat then checks this parameter to decide whether to let the program to run. It will then either launch the requested program, or block it. If it decides to block it, it displays a message box similar to that shown above. One sample viewed at the time of publication blocked running all executables excpet those with file names containing these strings:
- Sysinternals Antivirus.exe
- IEXPLORE.EXE
- iexplore.exe
- dbsinit.exe
- av_remove.exe
- lib32_
- 2945
- exe.exe
- 272-new.exe
- 01.exe
- word.exe
- server.exe
- 423ewq3.exe
Note: No programs are blocked unless the malware's scanner window is open.
Displays pop-ups
This threat might periodically display a pop-up balloon like these, which suggest that your PC is being attacked:
It might also display pop-up balloons from the system tray, like the following:
Clicking on any of these causes the fake scanner to be re-launched. It might also periodically display pop-ups like these:
Changes desktop background
At some time after they are first launched, earlier versions of the malware add the following text to your desktop background:
DANGER!!!
Your PC is INFECTED!
Attention!!!
Such infection will cause permanent loss of all information stored on your PC: documents, files, etc.
All your secret data like logins, passwords, credit card information can be accessed by third-parties for malicious purposes.
All your online activities like sending e-mails, visiting web-sites are logged and stored on your hard disk.
Spyware blocks the deletion of such information from your PC and makes your online actions traceable.
PROTECT YOURSELF!
DELETE SPYWARE FROM YOUR PC RIGHT NOW!
The threat does this by changing the file %APPDATA%\Microsoft\Internet Explorer\Desktop.htt, using the contents of files earlier written to <system folder>\onhelp.htm and <system folder>\sonhelp.htm.
Displays fake error messages
This threat periodically displays the following dialog box, which tries to pass itself off as a Windows system error message:
If the user clicks the Fix it button, the fake scanner is re-launched. The other buttons do not appear to have any effect.
Reboots PC
This threat occasionally reboots your PC.
Blocks access to websites
This threat might display the following pop-up and block access to websites you're trying to visit. It might show the following fake dialog box, to try to convince you that you're visiting a malicious website and that you need to take the recommended action:
Stops security programs
It might try to stop and/or uninstall security software from the following companies:
- Microsoft (Windows Defender/Security Essentials)
- Norton
- Avira
- AVG
- E-Set
- DrWeb
- Kaspersky
- Bitdefender
- McAfee
Analysis by David Wood
