Security researcher Xylitol recently wrote an article about a new malware that performs some tricks to make you think your computer is running normally, when it is in fact infected with a variety of malware. Typically when a brand new computer infection is released, your antivirus program is hard-pressed to update its malware database fast enough to protect you from it. Even if the malware is installed before your antivirus can detect it, the hopes are that once the malware is added to the security software's virus database, it will then be detected and removed.
What is a malware to do then to protect itself from this tactic? Most malware will terminate known antivirus programs and other security programs when they are started. This, though, can quickly become suspicious when various programs you try to run are immediately terminated. This new malware offers a sneakier solution; simply uninstall the antivirus software installed on the computer and then run a malware that pretends to be it. This is exactly what Xylitol found when researching a new Trojan that has been labeled Trojan.FakeAV.LVT.
Xylitol reports that the Trojan.FakeAV.LVT arrives on the system as the filename flash-player.exe. The file is probably named this way to trick people into thinking it is related to Adobe Flash. Once run, it will perform a network test by connecting to a variety of sites such as youtube.com, wikipedia.org, etc to see if you have a Internet connection. It will then download further files and the will search your computer for specific antivirus programs that may be installed. If it detects a antivirus program it will then reboot your computer into safe mode where it uninstalls your current the antivirus program. When it is done uninstalling your antivirus software it will reboot back into normal Windows mode and display alerts that appear to be from your security software so that you think it is still installed and working properly.
Xylitol reports that it currently detects and uninstalls the following antivirus programs:
|Agava Firewall||Avast||Microsoft Security Essentials|
|Kaspersky Internet Security 7||Kaspersky Internet Security 2009||Kaspersky Internet Security 2010|
|Kaspersky Internet Security 2011||Kaspersky Anti-virus 7||Kaspersky Anti-virus 2009|
|Kaspersky Anti-virus 2010||Kaspersky Anti-virus 2011||AVG Anti-Virus|
|Microsoft Defender||ESET NOD32 Antivirus||ESET Smart Security|
|Dr. Web||Norton Antivirus||Outpost Firewall|
When I was testing a sample of this malware, I installed a copy of Microsoft Security Essentials and then ran the computer infection. Once the malware started, it quickly displayed an alert with the message "System error! Access denied.", which it is assumed was meant to trick the computer user into thinking that there was a problem running the flash-player.exe program.
After some time, the computer was rebooted and started in Windows Safe Mode. While in safe mode it proceeded to uninstall Microsoft Security Essentials and then rebooted back normal mode. Once the computer was rebooted and I was logged in, it displayed an icon () in the Windows taskbar that was the same, if not similar, to the icon for the antivirus software that was previously installed. When I clicked on the icon it displayed the following image and text:
Microsoft Security Essentials
Enhanced Protection Mode
Microsoft Security Essentials operates under enhanced protection mode. This is a temporary measure necessary for immediate response to the threat from virus.
No action is required from you.
To further trick you into thinking that your antivirus program is running normally, it will also randomly display fake update messages stating that your program was updated. The text of this message will be similar to:
Microsoft Security Essentials
Release date of the anti-virus databases:
Your system is protected.
When examining the files that this malware installed I see that it installed three different legitimate Bitcoin Miners called Phoenix, RPC, and UFA. Bitcoins are an online currency that currently has a monetary value of 13 USD per Bitcoin. Though these programs are legitimate, they are being used by the malware developer to generate, or mine, Bitcoins for the developer while using your computer's CPU processing power. The program that pretends to be your antivirus software was installed as C:\WINDOWS\update.tray-14-0\svchost.exe, though this path may change per installation. This program also downloads a variety of other malware such as the ZeroAccess rootkit. Last, but not least, the downloader also generates a variety of files in the C:\Windows folder that include:
- Various malware files - Named sysdriver32_.exe, sysdriver32.exe, and l1rezerv.exe. It also generated hidden folders named C:\Windows\update.[number] that contain more malware
- unrar.exe - A legitimate unrar program for extracting the Bitcoin miners.
- phoenix.rar - A legitimate Bitcoing miner.
- ufa.rar - A legitimate Bitcoing miner.
- rpcminer.rar - A legitimate Bitcoing miner.
- geoiplist - A list that can be used to determine an infected computers geographic location based on its IP address.
- proc_list1.log - A list of processes running on their computer and their associated process IDs.
- iplist.txt - Xylitol states that this is a list of IP addresses for other infected computers. There were 766 IP addresses listed in this text file.
Without a doubt this malware is a nasty piece of work, but does introduce some interesting methods of income generation and protection routines used by the malware developer and their software. The infection itself, and its downloads, are by themselves not very difficult to remove. Unfortunately, though, it appears to be bundling the ZeroAccess rootkit, which is much harder to remove. Running TDSSKiller may remove the driver portion of the rootkit, but not all of the infection, and thus you may be left with a machine that is partially cleaned.
Therefore, it is recommend that if you are infected with this malware to ask for help in our Virus Removal forum to receive free one-on-one help in cleaning your machine. Furthermore, I have seen many virus removal blogs stating that all you need to do is run various programs such as Spyware Doctor, MalwareBytes, SuperAntiSpyware, Hitman Pro, etc to clean your computer of this infection. Though these programs are all legitimate, the instructions given will not work, so please do not purchase anything in the hopes of a one-shot fix to remove this infection and the ZeroAccess rootkit. It is for this reasons that we are not writing a removal guide for this infection as there is no easy and simple method to remove it all.
Thanks to Xylitol for the great writeup at his blog!