Fake MS Removal Tool forces user to buy Fake AV software (Jun 17, 2011)


The SonicWALL UTM research team has received reports of a new FakeAV that is more intrusive than usual. Most FakeAV’s are simply annoying and cause pop-up windows to appear that encourage its victims to buy the software. Fakesysdef.BDF is a FakeAV that actually forces the user to buy the software. The system is rendered unusable until the software is paid for or removed.

The Trojan creates the following file on the filesystem:

  • C:Documents and SettingsAll UsersApplication DatajB04208NpCpC04208jB04208NpCpC04208.exe [Detected as GAV: Fakesysdef.BDF (Trojan)]
  • The file “jB04208NpCpC04208.exe” is a copy of the original Trojan file. The filename is randomly generated but always ends with “04208”. From further analysis it is suspected that “04208” is an affiliate ID. Once copied, the file is then run from its new location.

The Trojan creates the following registry keys to ensure startup:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce {random} “C:Documents and SettingsAll UsersApplication DatajB04208NpCpC04208jB04208NpCpC04208.exe” [Detected as GAV: Fakesysdef.BDF (Trojan)]

The Trojan will run silently in the background for a period of approximately 10 minutes. After this time the Trojan will remove the desktop background and pop up a fake system scan window named “MS Removal Tool”:

The Trojan will show a fake summary of results of the scan and prompt the user to remove the threats:

When trying to run most software on the system the Trojan will give a fake warning that the program is infected:

When clicking on “Remove all threads now” the user is taken to a payment page:

The Trojan was spotted communicating with 46.161.{removed}.{removed} for payment form information using the affiliate ID “04208”:

The Trojan was also spotted enumerating directories under C:Program Files and reading the contents of C:documents and settings{user}start menudesktop.ini.

The SonicWALL UTM research team have discovered various license keys posted on the internet that claim to disable this FakeAV software. However, the software is not removed from the system using these keys and still runs in the background.

After registering the software we observed continued suspicious behavior. The Trojan attempts to steal information from popular game titles that may be installed on the system:

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Fakesysdef.BDF (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.