The Stubborn Rogue

Rogue antivirus and antispyware utilities have been around for a while, but the cyber-criminals behind this prolific business do not cease to upgrade their weapons.

Trojan.Fakealert.CAWis the latest of its kind. The 1,164 KB package is extremely large for an average piece of malware, but it surely does not want to go unnoticed. After deployment, this rogue AV utility creates its own folder in “%systemdrive%Documents and Settings All UsersApplication Data” and remains it using an 8-digit random string. In this folder, Trojan.Fakealert.CAW creates a copy of itself under the same random name, as well as a batch file which runs the newly created copy with the “install” parameter. Afterwards, both the original and the batch files are deleted.

Upon successfully infecting the system, the malware starts popping up alerts informing the user about the installation of the “Security Tool”, creates shortcuts on the desktop, start-menu and tray icon, sets  itself to automatically start-up by creating a new entry in the registry under the key “HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun” with its file path as value.

Installing trojan

It would also start doing its magic: the user is informed that the computer is infected with various types of malware, and he/she needs to purchase the full version of Security Tool to start the cleanup process. In order to make things look worse, different warning messages are displayed.

Main Screen Rogue AV

After a thorough scan, the (rogue) antivirus Security Tool will ask the user to restart, which would only continue the damage spree by hiding desktop items and closing almost all applications the user tries to access. More than that, if the user opens an internet browser, firewall alerts will also be popping out.

Fake Firewall alert

The charade goes on: a screensaver displaying a false “blue-screen” forcing a shut-down, all for the purpose of scaring the user into buying a Rogue AV.

Alert Kill

Aside from the Rogue AV component, Trojan.Fakealert.CAW has a spyware feature, which attempts to send information about the infected machine to a remote server.


Information in this article is available courtesy of BitDefender virusresearcher George Cabău.

About the author


A blend of teacher and technical journalist with a pinch of e-threat analysis, Loredana Botezatu writes mostly about malware and spam. She believes that most errors happen between the keyboard and the chair. Loredana has been writing about the IT world and e-security for well over five years and has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.