Let’s start with a harmless fakealert Trojan called Trojan.Fakealert.AAF. It drops two files, with random names, in the %windir%/system32 folder. One of them is a *.bmp file and the other a *.scr file. The first is used as a background image on the victims desktop warning him of fake malware infections (see Img 1). The second one is the bluescreen screensaver joke from Sysinternals meant to scare users and trick them into rebooting their computer in order to ensure the viruses’ continuous execution (because it sets itself to execute at every system startup).
Img 1: Fake infection warning image used to scare users and trick them into buying rogue antivirus software
The next e-threat we are going to look at is also a fakealert Trojan, actually, a more advanced version of Trojan.Fakealert.AAF . Called Trojan.Fakealert.AAH by the BitDefender research lab, it downloads three files unlike it’s predecessor. Two of them are the same bmp and scr files dropped by Trojan.Fakealert.AAF the third however is an executable file, a copy of itself. It creates and runs a *.bat file which will delete the original copy and launch the one from %windir%/system32. Furthermore, this Trojan downloads a rogue antivirus program called