Thread: Rogue:Win32/FakeRean Shorten URL

Aliases

Antispyware Vista (other)
Antispyware Win 7 (other)
Antispyware XP (other)
AntiSpyware XP 2009 (other)
Antivirus Pro 2010 (other)
Antivirus Vista (other)
Antivirus Vista 2010 (other)
Antivirus Win 7 (other)
Antivirus Win 7 2010 (other)
Antivirus XP (other)
Antivirus XP 2010 (other)
Antivirus Vista (other)
Desktop Defender 2010 (other)
Desktop Security 2010 (other)
Home Antivirus 2010 (other)
PC Antispyware 2010 (other)
PC Security 2009 (other)
Security Central (other)
Security Solution 2011 (other)
Total PC Defender (other)
Total PC Defender 2010 (other)
Total Vista Security (other)
Total Win 7 Security (other)
Total XP Security (other)
Vista AntiMalware (other)
Vista AntiMalware 2010 (other)
Vista Antispyware 2010 (other)
Vista Antivirus (other)
Vista Antivirus 2010 (other)
Vista Antivirus Pro (other)
Vista Antivirus Pro 2010 (other)
Vista Defender (other)
Vista Defender 2010 (other)
Vista Defender Pro (other)
Vista Guardian (other)
Vista Guardian 2010 (other)
Vista Internet Security (other)
Vista Internet Security 2010 (other)
Vista Security (other)
Vista Security Tool (other)
Vista Security Tool 2010 (other)
Vista Smart Security (other)
Vista Smart Security 2010 (other)
Win 7 AntiMalware (other)
Win 7 AntiMalware 2010 (other)
Win 7 Antispyware 2010 (other)
Win 7 Antivirus (other)
Win 7 Antivirus 2010 (other)
Win 7 Antivirus Pro (other)
Win 7 Antivirus Pro 2010 (other)
Win 7 Defender (other)
Win 7 Defender 2010 (other)
Win 7 Defender Pro (other)
Win 7 Guardian (other)
Win 7 Guardian 2010 (other)
Win 7 Internet Security (other)
Win 7 Internet Security 2010 (other)
Win 7 Security (other)
Win 7 Security Tool (other)
Win 7 Security Tool 2010 (other)
Win 7 Smart Security (other)
Win 7 Smart Security 2010 (other)
XP AntiMalware (other)
XP AntiMalware 2010 (other)
XP AntiSpyware 2009 (other)
XP Antispyware 2010 (other)
XP Antivirus 2010 (other)
XP Antivirus Pro (other)
XP Antivirus Pro 2010 (other)
XP Defender (other)
XP Defender 2010 (other)
XP Defender Pro (other)
XP Guardian (other)
XP Guardian 2010 (other)
XP Internet Security (other)
XP Internet Security 2010 (other)
XP Police Antivirus (other)
XP Security (other)
XP Security Center (other)
XP Security Tool (other)
XP Security Tool 2010 (other)
XP Security Tool 2010 (other)
XP Smart Security (other)
XP Smart Security 2010 (other)
Smart Security 2010 (other)
Win 7 Security Center (other)
XP Defender Pro 2010 (other)
AntiVirus Studio 2010 (other)
Trojan:Win32/FakeRean (Microsoft)
Win32/FakeRean (Microsoft)
Spyware Protection (other)
Vista Antispyware 2011 (other)
Vista Antivirus 2011 (other)
Vista Home Security 2011 (other)
Vista Security 2011 (other)
Vista Total Security 2011 (other)
Win 7 Home Security 2011 (other)
Win 7 Total Security 2011 (other)
XP Antispyware 2011 (other)
XP Antivirus 2011 (other)
XP Home Security 2011 (other)
XP Security 2011 (other)
XP Total Security 2011 (other)
Vista Anti-Spyware (other)
Vista Anti-Spyware 2011 (other)
Vista Anti-Virus 2011 (other)
Vista Home Security (other)
Vista Internet Security 2011 (other)
Vista Total Security (other)
Win 7 Anti-Spyware (other)
Win 7 Anti-Spyware 2011 (other)
Win 7 Anti-Virus 2011 (other)
Win 7 Home Security (other)
Win 7 Internet Security 2011 (other)
Win 7 Security 2011 (other)
Win 7 Total Security (other)
XP Anti-Spyware (other)
XP Anti-Spyware 2011 (other)
XP Anti-Virus 2011 (other)
XP Home Security (other)
XP Total Security (other)

Symptoms

Symptoms vary among different distributions of Win32/FakeRean, however, the presence of the following system changes (or similar) may indicate the presence of this program:
Presence of the following files, for example:
Binaries1.cab
Binaries2.cab
Binaries3.cab
%Program Files%\XP_AntiSpyware\AVEngn.dll
%Program Files%\XP_AntiSpyware\htmlayout.dll
%Program Files%\XP_AntiSpyware\pthreadVC2.dll
%Program Files%\XP_AntiSpyware\Uninstall.exe
%Program Files%\XP_AntiSpyware\wscui.cpl
%Program Files%\XP_AntiSpyware\XP_Antispyware.cfg
%Program Files%\XP_AntiSpyware\XP_AntiSpyware.exe
%Program Files%\XP_AntiSpyware\data\daily.cvd
%Program Files%\XP_AntiSpyware\Microsoft.VC80.CRT\Microsoft .VC80.CRT.manifest
%Program Files%\XP_AntiSpyware\Microsoft.VC80.CRT\msvcm80.d ll
%Program Files%\XP_AntiSpyware\Microsoft.VC80.CRT\msvcp80.d ll
%Program Files%\XP_AntiSpyware\Microsoft.VC80.CRT\msvcr80.d ll
Presence of the following registry modifications:
Key: HKCU\Control Panel\don't load
Value: scui.cpl
Data: "No"
Value: wscui.cpl
Data: "No"

Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer
Value: ForceClassicControlPanel
Data: 0x1

Key: HKLM\SOFTWARE\Microsoft\Security Center
Value: AntiVirusDisableNotify
Data: 0x1
Value: FirewallDisableNotify
Data: 0x1
Value: UpdatesDisableNotify
Data: 0x1

Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\XP_AntiSpyware\
Value: DisplayName
Data: "XP Antispyware 2009"
Value: UninstallString
Data: "%Program Files%\XP_AntiSpyware\Uninstall.exe"

Key: HKLM\Software\XP_Antispyware
Value: info
Data: ""

To subkey: HKCU\Software\Classes\.exe
Sets value: "(Default)"
With data: "secfile"

To subkey: HKCU\Software\Classes\.exe
Sets value: "Content Type"
With data: "application/x-msdownload"

To subkey: HKCU\Software\Classes\.exe\DefaultIcon
Sets value: "(Default)"
With data: "%1"

To subkey: HKCU\Software\Classes\.exe\shell\open\command
Sets value: "(Default)"
With data:"C:\Documents and Settings\Administrator\Local Settings\Application Data\av.exe" /START "%1" %*"

To subkey: HKCU\Software\Classes\.exe\shell\open\command
Sets value: "(Default)"
With data: "C:\Documents and Settings\Administrator\Local Settings\Application Data\av.exe" /START "%1" %*"

To subkey: HKCU\Software\Classes\.exe\shell\open\command
Sets value: "IsolatedCommand"
With data: ""%1" %*"

To subkey: HKCU\Software\Classes\.exe\shell\runas\command
Sets value: "(Default)"
With data: ""%1" %*"

To subkey: HKCU\Software\Classes\.exe\shell\runas\command
Sets value: "IsolatedCommand"
With data: ""%1" %*"

To subkey: HKCU\Software\Classes\.exe\shell\start\command
Sets value:"(Default)"
With data: ""%1" %*"

To subkey: HKCU\Software\Classes\.exe\shell\start\command
Sets value: "IsolatedCommand"
With data:""%1" %*"

To subkey: HKCU\Software\Classes\secfile
Sets value: "(Default)"
With data: "Application"

To subkey: HKCU\Software\Classes\secfile
Sets value: "Content Type"
With data: "application/x-msdownload"

To subkey: HKCU\Software\Classes\secfile\DefaultIcon
Sets value: "(Default)"
With data: "%1"

To subkey: HKCU\Software\Classes\secfile\shell\open\command
Sets value: "(Default)"
With data: ""C:\Documents and Settings\Administrator\Local Settings\Application Data\av.exe" /START "%1" %*"

To subkey: HKCU\Software\Classes\secfile\shell\open\command
Sets value: "IsolatedCommand"
With data: ""%1" %*"

To subkey: HKCU\Software\Classes\secfile\shell\runas\command
Sets value: "(Default)"
With data: ""%1" %*"

To subkey: HKCU\Software\Classes\secfile\shell\runas\command
Sets value: "IsolatedCommand"
With data: ""%1" %*"

To subkey: HKCU\Software\Classes\secfile\shell\start\command
Sets value: "(Default)"
With data: ""%1" %*"

To subkey: HKCU\Software\Classes\secfile\shell\start\command
Sets value: "IsolatedCommand"
With data: '"%1" %*"
Presence of the following shortcuts:
%Start menu%\Programs\XP_AntiSpyware\XP_AntiSpyware.lnk
%Start menu%\Programs\XP_AntiSpyware\Uninstall.lnk
%Desktop%\XP_AntiSpyware.lnk
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\XP_AntiSpyware.lnk
Display of the following dialogs, icons, warnings, pop-ups, etc, or similar:

good information !