Did You Get the FakeRean Windows Virus?

Sunday, May 01, 2011

Global Knowledge


Article by John Mark Ivey

I feel sorry for you if your computer was recently infected by the Fake Windows AntiMalware virus, but don’t beat yourself up over it too badly.

I know of some seasoned IT professionals who fell victim to it as well. Feel better?

The virus falls under the Trojan:Win32/FakeRean virus category, claiming to be antivirus, antispyware, or registry cleaners. It attacks Windows users via a Trojan drop file.

It then attempts to install rogue security software using terms like “Internet Security”, “Defender Pro”, “Smart Security 2010”, or “Security Tool 2010”, along with a fake Windows Security Center, to fool you into thinking it is legit.

One co-worker was able to “experiment” with it on a test laptop running Windows 7. The variation he had attacked the system much like a Conficker. It corrupted all .exe files on the laptop and would not allow him to run any of them. He couldn’t even boot in safe mode because some keyboard functions, like the arrow keys, wouldn’t work.

He admitted that this was an extreme infection on the test laptop. He typically tries to get the infection and find different ways of removing it, but sometimes it gets so bad he has to reformat the laptop’s hard drive and start over.

This was one of those cases.

First off, I suggest you go to your Folder Options Control Panel and enable “view protected operating system files and hidden folders.” This will make it easier to find the hidden system files named ave.exe or gtg.exe that the Trojan dropped into your AppData folder.

Also search for a hidden system file named “y7V11” in multiple directories including AppData and Temp folders.

The rogue security software will be accompanied by deceptive sales tactics and false positives to lure you into purchasing a software license or security subscription. This is known as scareware.

Don’t take the bait unless you are in the mood for additional malware. Immediately remove these files from your system.

To avoid this happening in the future, don’t open emails from folks you don’t know or an email with an odd subject line from someone you do know. Chances are they didn’t find a video of you online. You’re not that kind of guy, right?

Also, don’t click links via social media or banner ads, even at reputable sites. Sometimes web ads, even without clicking, use a script to start installing immediately with no action from the user.

Spyware producers are able to purchase ads through syndicated ad networks which then pulls up their rogue ad in the random pool with all the other legitimate ones you see.

To avoid this from happening, you can disable scripting in your browser.

Also, you can install an ad blocker so that you don’t receive ads from certain providers. At work, your company should be blocking some ad services at the firewall level.

Another helpful tip you can do to avoid malware and viruses is not view Outlook mail via the preview pane. Previewing is just like viewing, and immediate infection can take place. For a free legitimate virus scan, visit http://​www​.microsoft​.com/​s​e​c​u​r​i​t​y​/​s​c​a​n​n​e​r​/​e​n​-​u​s​/​d​e​f​a​u​l​t​.​aspx.

Cross-posted from Global Knowledge

Possibly Related Articles:
Viruses & Malware
Information Security
virus Trojans scams malware Windows Scareware
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.