Trojan.FakeAV.LVT– Plays You (Like) in Movies

[AlienForce1]

A video on Facebook is used as vector of infection for a Trojan, the rogue AV component artfully mimics the antivirus you have installed on your system and the downloader adds the compromised PC to a network of infected systems that constantly exchange malware between them.

Trojan.FakeAV.LVT takes social engineering to a whole new level. The scenario is extremely complex and efficient: imagine a friend that initiates a conversation with you in a Facebook chat window. The dialogue seems a bit rigid and soon you are teased with questions such as "Hi. How are you?”, “It is you on the video?” or “Want to see?” that introduce a link to nothing else but a movie allegedly starring yourself. Classic you may say; and you wouldn’t be completely wrong. However, the juicy details are yet to come.

1. First of all, you are shown a Youtube page with a movie that mentions your name in the title, which is, by the way correctly spelled, as it is taken directly from your Facebook profile. At this point, the video is probably gaining your full trust. On top of that, some of your friends (also taken from your Facebook account friends list) appear to have already commented the video, adding thus yet another huge plus to this crafty scam. In short, you have a movie that is allegedly about you and some friends’ comments that either worship you or appear to be utterly disappointed. Wouldn’t you care to see why?

Well, if the answer is yes, you will be requested to download a new version of Flash Player, because it appears that your version is “outdated”. This should ring a bell that something is “phishy”, but given the fact that it is a message you have seen quite a lot of times on the legit website, you might not even notice it. Once you click the link, you get immediately caught in a scenario that seems to be taken straight from science fiction movies, because what you download is an extremely insidious Trojan.

2. While you think that you are downloading a Flash Player, you are in fact welcoming a Trojan on you PC that will shortly start wreaking havoc on your system. The malicious code hides under the innocent name and appearance of a Flash Player.

It copies itself as :

%windir%\services32.exe

and as

%windir%\update.X\svchost.exe

where update is a hidden directory and X is the version of the malware. After that, it adds a registry key in %SYSTEM% and the malicious code is added thus to the list of authorized applications for the firewall or it disables the firewall altogether.

Then it proceeds to disabling all notifications generated by the firewall, the update module and whatever antivirus it finds installed on the PC. Yes, you’ve got it right, it strips you off whatever protection you have in place.

3. Trojan.FakeAV.LVT has a rogue AV component that is indeed innovative - it starts by displaying personalized warning message windows that are strikingly similar to the AV solution it finds installed on the system. Yes, it is a chameleon that has a copycat kit for all the important AV products on the market. It goes so far in that it initially determines the AV running on the machine and the interface language selected by you. It will afterwards use the captions, the icons and the messages consistent with the personalized settings of the installed AV.

In order to leave you totally unprotected, the Trojan displays a popup warning and kindly asks you to reboot the system in order to perform the clean-up.

But, before that, it queues your antivirus for uninstallation, then uses the genuine Microsoft bcdedit.exe (command line tool for managing BCD (Boot Configuration Data) files) in order to instruct the system to boot in safe mode after restart.

The piece of malware will successfully start in safe mode, as it has created the following Registry key:

"HKLM\SYSTEM\ControlSet001\Control\SafeBoot\AlternateShell = %windir%\services32.exe"

After it has successfully removed your antivirus, the Trojan uses bcdedit. exe again to execute the following:

'BCDEDIT /deletevalue safeboot /set safebootalternateshell false'

and restart the computer in normal mode.

Now you are also notified that qualified help could be provided in a couple of hours by a support specialist, if you send them your cell-phone number.

4. The Trojan also packs under its hood a downloader component that fetches files from different URLs depending on the OS of the infected system. The systems running Windows Vista, for instance, will download files from a different location than those running XP. The downloaded file contains a list of IPs saved as :

%windir%\front_ip_list.txt.

The malware contains a hardcoded list of IPs, as well. These are the IPs of other infected systems which will be used at exchanging malware between them, creating a fully-fledged malware distribution system with peer-to-peer update capabilities. These IP lists are changed regularly and so infected system are always in contact and constantly exchanging malicious code.

Source : MalwareCity

[DKT27]

The two pics on the source article, please host it on imgur, etc. and post them too. Best if some screenshots are also there to give some idea. :)

This looks like good story, too bad it must be true, FakeAV is known to wreak havoc. :(

[AlienForce1]

This looks like good story, too bad it must be true, FakeAV is known to wreak havoc. :(

The bad part is that the whole is real - I hope you won`t see it on your comp. B)

[tipo]

:))

that`s a kaspersky warning window. i must tell you that i`m in love with virtualization / sandboxing technicques. no av in the world would ever keep up with this malware creators..

[shought]

Crafty little bitches :P

As much as I despise people who touch other people's property I have to say this seems to be really 'well-written' piece of code, I wonder what they could achieve if they used their powers for good instead of bad...

[AlienForce1]

Crafty little bitches :P

As much as I despise people who touch other people's property I have to say this seems to be really 'well-written' piece of code

This malware is able to copy and replace 16 security solutions (most used) ... :huh:

[HX1]

I have had this happen before and simply hit F5 to refresh.. as long as it was never a QuickTime embed in which I just 'moved on '.. When I have it installed and up to date possibly even running a beta I get extremely suspicious and naturally figure its time to 'pursue other avenues of data'.. :P

Common Sense would seem like the thing BUT... With some FF installations.. it will use your previous install folder for FF.. for plugins.. unless you manually create a folder in the Program Directory for the particular installation it will use the other one... one such problem occurs with the Windows Media Player plugin... but I usually just copy the whole folder over.. Flash and a few others as well as components actually are in other folders.. so it will never really be effected in this area...

I actually haven't used that part of FF for years ( talking about the 'You need to install plugin - click here' thing... Usually it will be obvious as to what it is.. and if I don't have it I probably don't want it either.. and if I already do.. then they need to straighten out their code or something.. :P

[ck_kent]

That's clever.

So, having this exposed, are the anti-viruses able to detect it now and prevent if from being installed?

[Ambrocious]

I have dealt with this on a friends computer recently but it wasn't all that hard to get rid of once you realized WHAT the problem was. I noticed that his avast! was still there but when I tried to click it, it informed me that it had been set to "Protection mode because of a virus" yet it didn't allow me to do anything else with it.

I first used Long Path Tool on all of the newly created *32 paths which were infected (you could see butt loads in the process manager), changing their .exe to .mp3. From this point on, it was a matter of deleting them. The additional services32.exe I took care the same way as I did with the newly created scvhost (Long Path Tool). One of the strange things is that this trojan was ALSO planted in the Windows temp directory. Since these were all set to "start" you could easily use a program that allows you to see what is starting in order to hunt these down (I used Registry Reviver ).

There was one bad repercussion of this trojan and that is that it got rid of an ability to connect to the internet (must have damaged the settings or something). While the trojan was able to connect in I imagine, we couldn't. I used Windows 7 Repair Disk to get things set straight again, followed by scans with SUPERAntispyware, Malwarebytes, The Cleaner 2012, and of course avast.