Win32/FakeVimes is a family of programs that claims to scan for malware and displays fake warnings of "malicious programs and viruses". They then inform you that you need to pay money to register the software and remove these non-existent threats. Members of the Win32/FakeVimes family use various file names and system modifications that can differ from one variant to the next. Win32/FakeVimes has been distributed with several different names. The user interface and some other details vary to reflect each variant's individual branding.
Recent variants at the time of publication have used the following names:
- Advanced Antispyware Solution
- Antimalware PC Safety
- Antivirus Smart Protection
- AV Security Essentials
- Best Antivirus Software
- Best Virus Protection
- Home Malware Cleaner
- Home Security Solutions
- Internet Security Guard
- Malware Protection Center
- Smart Anti-Malware Protection
- Strong Malware Defender
- System Protection Tools
- Total Anti Malware Protection
Older variants have used names like the following:
- Best Malware Protection
- Cleanup Antivirus
- Extra Antivirus
- Live PC Care
- Malware Catcher 2009
- My Security Engine
- My Security Shield
- My Security Wall
- Paladin Antivirus
- Security Antivirus
- Security Guard
- Security Master AV
- Smart Engine
- Ultra Antivirus 2009
- Virus Melt
- Windows PC Defender
Installation
Win32/FakeVimes is installed by a downloader, which might also be detected as Rogue:Win32/FakeVimes. This downloads an encrypted copy of the fake scanner, which it decrypts and writes to <commonappdata>\<five random hexadecimal digits>\<first two initials of product name><three random hexadecimal digits>_<four random decimal digits>.exe. An example location for Best Antivirus Software might be <commonappdata>\54fd6\BA3b8_8068.exe. It then launches the fake scanner.
It might copy itself to <commonappdata>\<five random hexadecimal digits>\<first two initials of product name><random digits>.exe (for example, Total Anti Malware Protection might copy itself to <commonappdata>\54fd6\TA239.exe).
It then creates a registry entry so that this copy is run each time Windows starts:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<product name>"
With data: "<location of malware>" /s /d"
For example, Total Anti Malware Protection creates the following entry:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Total Anti Malware Protection"
With data: "<location of malware>" /s /d" (for example, "<commonappdata>\54fd6\TA239.exe" /s /d)
While Best Antivirus Software creates the following:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Best Antivirus Software"
With data: "<location of malware>" /s /d" (for example, "<commonappdata>\54fd6\BA3b8_8068.exe" /s /d)
It drops an icon file <Product initials>.ico to the same directory as the copied malware (for example, Total Anti Malware Protection might create a file like "<commonappdata>\54fd6\TAMP.ico", while Best Antivirus Software would create "BAS.ico"). It also creates empty folders "Quarantine Items" and "<Product initials>Sys" (for example, TAMPSys or BASSys) under the same folder as the original copy of the scanner.
It creates a desktop shortcut at <desktop folder>\<Product name>.lnk (for example, <desktop folder>\Total Anti Malware Protection.lnk)
Note that the icons used by the malware differ for each product name. Below are the icons used by Best Antivirus Software, Live PC Care and Security Antivirus:
It adds an item to the Start Menu by creating a file at <start menu>\<Product Name>.lnk (for example, <start menu>\Total Anti Malware Protection.lnk)
It adds an item to the Programs Menu by creating an file at %ProgramFiles%\<Product name>.lnk (for example, %ProgramFiles%\Best Antivirus Software.lnk).
It adds an icon to the Quick Launch bar by creating a file at %APPDATA%\Microsoft\Internet Explorer\Quick Launch\<Product name>.lnk.
It then creates a configuration file in a location like <commonappdata>\<first two product initials><random letters>\<first two product initials><different random letters>.cfg (for example, for Best Antivirus Software <commonappdata>\BAZUVONHOS\BAUTS.cfg).
It creates a number of small junk files in the %USERPROFILE%\Recent directory, which it can report as infected when doing its fake scan. These files are harmless by themselves.
Payload
Displays fake scanner
The malware masquerades as an antivirus scanner, and displays a number of windows, dialog boxes and system tray pop-ups by trying to convince you that you are infected. This appears to be an attempt to replicate the appearance of Microsoft Security Essentials. Earlier versions instead try to replicate the Windows Security Center. See the Additional information section below for images of these earlier versions.
If you try to remove the listed threats, you will be taken to a webpage informing you that you must pay to register the scanner.
Adds details to Security Center
The malware adds its details to the legitimate Security Center by dropping a file named <four digit random number>.mof (for example, 5668.mof) to the directory in which it is running, and then launching a system tool using this file as input. It adds itself as both the Antivirus Product and Firewall Product:
Changes Hosts file
FakeVimes changes the Windows Hosts file. The local Hosts file overrides the DNS resolution of a website URL to a particular IP address. Malware might make changes to the Hosts file to redirect specified URLs to different IP addresses. Malware often changes a PC's Hosts file to stop users from accessing websites associated with particular security-related applications (like antivirus programs, for example).
FakeVimes tries to change the Hosts file at %windir%\drivers\etc\hosts to remove entries like the following if they are present:
- 64.86.17.32
- secure1.bestscansystems.com
- www5.total-anti-malware-protection.com
- safe-pay-vault.com
- secure-softsales-discount.com
- secure.securepay-processor.com
- vsoftstore.com
- webpayvault.com
These entries might have been added earlier (by competing malware, for instance, or even by another security-conscious administrator) to prevent you from visiting the websites of Win32/FakeVimes or its payment gateways.
Some variants of Win32/FakeVimes have also been reported to add additional entries to the Hosts file to block access to security related websites, or redirect visits to search pages to sites of the malware's choosing. For example, some variants redirect the following pages:
- 4-open-davinci.com
- au.search.yahoo.com
- bing.com
- ca.search.yahoo.com
- de.search.yahoo.com
- fr.search.yahoo.com
- getantivirusplusnow.com
- getavplusnow.com
- google-analytics.com
- google.be
- google.ca
- google.ch
- google.co.jp
- google.co.nz
- google.co.uk
- google.co.za
- google.com
- google.com.au
- google.com.br
- google.de
- google.dk
- google.fr
- google.ie
- google.it
- google.nl
- google.no
- google.pl
- google.se
- paysoftbillsolution.com
- privatesecuredpayments.com
- protected.maxisoftwaremart.com
- safebrowsing-cache.google.com
- search.live.com
- search.msn.com
- search.yahoo.com
- secure-plus-payments.com
- secure.paysecuresystem.com
- secure.privatesecuredpayments.com
- securesoftwarebill.com
- securitysoftwarepayments.com
- uk.search.yahoo.com
- urs.microsoft.com
to locations like the following:
- 206.53.61.77
- 74.125.45.100
- 94.228.209.236
Monitors browser traffic
The malware creates the following registry entry, which causes Internet Explorer to use a web proxy on the local PC.
In subkey: HKCU\Software\Microsoft\Internet Explorer
Sets value: "PRS"
With data: "hxxp://127.0.0.1:27777/?inj=%ORIGINAL%"
It then listens on port 27777 for the proxied web traffic. Should it find pages that it does not want you to view, it might block access to this content, or close browser tabs or windows. Should access be blocked, it might display a page like the following:
Changes default search page
The malware tries to alter the default search page for Internet Explorer by creating a registry entry like the following:
In subkey: HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes
Sets value: "URL"
With data: "hxxp://findgala.com/?&uid=8068&q={searchTerms}"
Changes security settings
It creates the following registry entries to try and let Internet Explorer run unsigned or incorrectly signed executables without displaying a warning:
In subkey: HKCU\Software\Microsoft\Internet Explorer\Download
Sets value: "CheckExeSignatures"
With data: "no"
Sets value: "RunInvalidSignatures"
With data: "1"
It might try to let itself access through Windows Firewall by creating the following registry entry:
In subkey: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "<location of malware>" (for example, <commonappdata>\54fd6\BA3b8_8068.exe)
With data: "<location of malware>:*:Enabled:<Product Name>" (for example, <commonappdata>\54fd6\BA3b8_8068.exe:*:Enabled:Best Antivirus Software)
Some variants might also add the following:
In subkey: HKLM\System\CurrentControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: <location of malware> (for example, <commonappdata>\54fd6\BA3b8_8068.exe)
With data: "<location of malware>:*:Enabled:<Product Name>" (for example, <commonappdata>\54fd6\BA3b8_8068exe:*:Enabled:Best Antivirus Software)
If the PC is running Windows Vista or later, FakeVimes might also temporarily change the registry entries below, to let the Hosts file changes above to be made without a UAC (User Account Control) warning being displayed. After it has doed the changes, it might increase the security on these entries, but might use values other than the ones originally used.
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Changes value: "ConsentPromptBehaviorAdmin"
Changes value: "ConsentPromptBehaviorUser"
Changes value: "EnableLUA"
Changes browser settings
FakeVimes changes your PC's browser settings by making the following changes to the registry:
In subkey: HKCU\Software\Microsoft\Internet Explorer
Sets value: "IIL"
With data: "0"
Sets value: "ltHI"
With data: "0"
Sets value: "ltTST"
With data: <five digit number> (for example, 20212)
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "UID"
With data: <four digit identifier> (for example, 8068)
It also creates registry entries similar to the following, which add additional information to the string that a web browser uses to identify itself when connecting to a website:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
Sets value: <12 digit number> (for example, 786905932603)
With data: ""
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
Sets value: "ver:2.0<four digit identifier>" (for example, ver:2.08068)
With data: ""
Prevents programs from running
The malware tries to prevent a number of executables associated with Microsoft Security Essentials, Windows Defender, as well as E-set and AVG antivirus products from running. It does so by creating the following registry entries:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "DisletRun"
With data: "1"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisletRun
Sets value: "0"
With data: "msseces.exe"
Sets value: "1"
With data: "MSASCui.exe"
Sets value: "2"
With data: "ekrn.exe"
Sets value: "3"
With data: "egui.exe"
Sets value: "4"
With data: "avgnt.exe"
Sets value: "5"
With data: "avcenter.exe"
Sets value: "6"
With data: "avscan.exe"
Sets value: "7"
With data: "avgfrw.exe"
Sets value: "8"
With data: "avgui.exe"
Sets value: "9"
With data: "avgtray.exe"
Sets value: "10"
With data: "avgscanx.exe"
Sets value: "11"
With data: "avgcfgex.exe"
Sets value: "12"
With data: "avgemc.exe"
Sets value: "13"
With data: "avgchsvx.exe"
Sets value: "14"
With data: "avgcmgr.exe"
Sets value: "15"
With data: "avgwdsvc.exe"
The malware also tries to prevent a number of other programs from running, by setting the harmless system process "svchost.exe" as a debugger for these programs. This means that when you try to launch one of these programs, svchost.exe is run instead of the program that you want to run.
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<file name of blocked program>
Sets value: "Debugger"
With data: "svchost.exe"
for example:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe
Sets value: "Debugger"
With data: "svchost.exe"
It does this for the following diagnostic or security-related security programs:
It also does the same for the following files used by other rogue antivirus software:
- AdwarePrj.exe
- agent.exe
- AlphaAV
- AlphaAV.exe
- Anti-Virus Professional.exe
- AntispywarXP2009.exe
- AntiVirus_Pro.exe
- AntivirusPlus
- AntivirusPlus.exe
- AntivirusPro_2010.exe
- AntivirusXP
- AntivirusXP.exe
- antivirusxppro2009.exe
- av360.exe
- AVCare.exe
- brastk.exe
- Cl.exe
- csc.exe
- dop.exe
- frmwrk32.exe
- gav.exe
- gbn976rl.exe
- homeav2010.exe
|
- init32.exe
- MalwareRemoval.exe
- ozn695m5.exe
- pav.exe
- pc.exe
- PC_Antispyware2010.exe
- pctsAuxs.exe
- pctsGui.exe
- pctsSvc.exe
- pctsTray.exe
- pdfndr.exe
- PerAvir.exe
- personalguard
- personalguard.exe
- protector.exe
- qh.exe
- Quick Heal.exe
- QuickHealCleaner.exe
- rwg
- rwg.exe
- SafetyKeeper.exe
- Save.exe
- SaveArmor.exe
|
- SaveDefense.exe
- SaveKeep.exe
- Secure Veteran.exe
- secureveteran.exe
- Security Center.exe
- SecurityFighter.exe
- securitysoldier.exe
- smart.exe
- smartprotector.exe
- smrtdefp.exe
- SoftSafeness.exe
- spywarexpguard.exe
- tapinstall.exe
- TrustWarrior.exe
- tsc.exe
- W3asbas.exe
- winav.exe
- windll32.exe
- windows Police Pro.exe
- xp_antispyware.exe
- xpdeluxe.exe
- ~1.exe
- ~2.exe
|
Additional information
Older variants of FakeVimes might display images like the following:
Analysis by David Wood and Ray Roberts
