Trojan/FakeAlert.T

Trojan/FakeAlert.T

Nombre:	Trojan/FakeAlert.T Alias: FakeAlert-T
Tipo:	Troyano
Tamaño:	28167 bytes
Origen:	Internet
Destructivo:	NO
En la calle (in the wild):	SI
Detección y eliminación:	The Hacker 6.2 al 10/10/2007.

Descripción:

Trojan/FakeAlert.T, troyano que al ejecutarse crea el siguiente archivo:

%windir%\system32\nusrmgr.exe

Nota:

- %windir% representa la carpeta de Windows (Ej. C:\WINDOWS, C:\WINNT).

Luego el gusano descarga los siguientes archivos potencialmente peligrosos:

%windir%\system32\din.ip
%windir%\system32\navwanvd.ini
%windir%\system32\drivers\detect.htm
%windir%\system32\drivers\s_detect.htm
%windir%\system32\drivers\pt.htm

Nota:

- %windir% representa la carpeta de Windows (Ej. C:\WINDOWS, C:\WINNT).

El gusano crea las siguientes entradas de registro para lograr ejecutarse en cada inicio de Windows:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}
"StubPath" = "%WINDIR%\system32\nusrmgr.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}
"StubPath" = "%WINDIR%\system32\nusrmgr.exe"

El troyano muestra ventanas de alerta con uno de los siguientes contenidos:

Your computer is infected.
Windows has detected spyware infection! It is recommended to use special antispyware tools to prevent data loss. Windows will now download and install the most up-to-date antispyware for you. Click here to protect your computer from spyware!
Warning:
Your computer is infected with spyware! How to help protect your computer and remove spyware...Click here for more information.&
Your Security and Privacy are at risk.
Spyware has been detected on your computer.Click here to run a FULL SYSTEM SCAN to protect your data...
Your computer is working slowly!
Slow operation speed might have been caused by malicious spyware. Download antispyware software and run full system scan to remove all viruses and spyware from your computer. Click here to start downloading...!
Internet attack attempt detected.
Somebody's trying to infect your PC with spyware or harmful viruses. Run full system scan now to protect your computer from Internet attacks, hijacking attempts and spyware. Click here for the list of available security updates...
Your computer is not protected against spyware!
Spyware able to steal your data including passwords, credit card numbers, etc. Scan your computer for spyware immediately! System scan is highly recommended!-
Alert: A minimum of 12 spyware entries found.
To remove all spyware and viruses click here to visit Security Center web site and download spyware remover.!
Possible spyware infection has been detected on your computer by Windows Security Center.
Windows Security Center system warning
Click here to visit Windows Security Center web site...
To remove detected threat you need to update Windows antispyware protection.

Al hacer clíc en la ventana de alerta el explorador de internet mostrará la siguiente página web para descargar un falso AntiSpyware:

http://pcsecurity[REMOVIDO].com

Finalmente el troyano se conecta a la siguiente dirección web para descargar archivos potencialmente peligrosos:

http://liveupdatesnet.com