Trojan.FakeAV.LVT

A video on Facebook is used as vector of infection for a Trojan, the rogue AV component artfully mimics the antivirus you have installed on your system and the downloader adds the compromised PC to a network of infected systems that constantly exchange malware between them.

Exquisite spreading mechanism

Trojan.FakeAV.LVT takes social engineering to a whole new level.  The scenario is extremely complex and efficient: imagine a friend that initiates a conversation with you in a Facebook chat window. The dialogue seems a bit rigid and soon you are teased with questions such as "Hi. How are you?”, “It is you on the video?” or “Want to see?” that introduce a link to nothing else but a movie allegedly starring yourself. Classic you may say; and you wouldn’t be completely wrong. However, the juicy details are yet to come. 

First of all, you are shown a Youtube page with a movie that mentions your name in the title, which is, by the way correctly spelled, as it is taken directly from your Facebook profile. At this point, the video is probably gaining your full trust. On top of that, some of your friends (also taken from your Facebook account friends list) appear to have already commented the video, adding thus yet another huge plus to this crafty scam. In short, you have a movie that is allegedly about you and some friends’ comments that either worship you or appear to be utterly disappointed. Wouldn’t you care to see why?

Well, if the answer is yes, you will be requested to download a new version of Flash Player, because it appears that your version is “outdated”. This should ring a bell that something is “phishy”, but given the fact that it is a message you have seen quite a lot of times on the legit website, you might not even notice it. Once you click the link, you get immediately caught in a scenario that seems to be taken straight from science fiction movies, because what you download is an extremely insidious Trojan.

Act two: behind the closed curtains

While you think that you are downloading a Flash Player, you are in fact welcoming a Trojan on you PC that will shortly start wreaking havoc on your system. The malicious code hides under the innocent name and appearance of a Flash Player. It copies itself as %windir%services32.exe and as %windir%update.Xsvchost.exe, where update is a hidden directory and X is the version of the malware. After that, it adds a registry key in %SYSTEM% and the malicious code is added thus to the list of authorized applications for the firewall or it disables the firewall altogether.

Then it proceeds to disabling all notifications generated by the firewall, the update module and whatever antivirus it finds installed on the PC. Yes, you’ve got it right, it strips you off whatever protection you have in place.

Act three: the mutant, multi-faceted, rogue AV

One thing I find utterly disappointing with Rogue AV software is the fact that they fail to trick anyone but those who hardly spend any time in front of the computer. Trojan.FakeAV.LVT however has a rogue AV component that is indeed innovative. We all know that fake antivirus solutions trick users into downloading a product by showing alarmist pop-ups claiming that the PC is packed full with malware. This one takes things to a whole new level. It starts by displaying personalized warning message windows that are strikingly similar to the AV solution it finds installed on the system. Yes, it is a chameleon that has a copycat kit for all the important AV products on the market. It goes so far in that it initially determines the AV running on the machine and the interface language selected by you. It will afterwards use the captions, the icons and the messages consistent with the personalized settings of the installed AV.

In order to leave you totally unprotected, the Trojan displays a popup warning and kindly asks you to reboot the system in order to perform the clean-up. But, before that, it queues your antivirus for uninstallation, then uses the genuine Microsoft bcdedit.exe (command line tool for managing BCD (Boot Configuration Data) files) in order to instruct the system to boot in safe mode after restart.

The piece of malware will successfully start in safe mode, as it has created the following Registry key: "HKLMSYSTEMControlSet001ControlSafeBootAlternateShell = %windir%services32.exe". After it has successfully removed your antivirus, the Trojan uses bcdedit. exe again to execute the following: 'BCDEDIT /deletevalue safeboot /set safebootalternateshell false' and restart the computer in normal mode.

Alert window imitating a genuine product

Now that you have seen how good the “antivirus” is, you are also notified that qualified help could be provided in a couple of hours by a support specialist, if you send them your cell-phone number.

Act four: the tragic ending

The Trojan also packs under its hood a downloader component that fetches files from different URLs depending on the OS of the infected system. The systems running Windows Vista, for instance, will download files from a different location than those running XP. The downloaded file contains a list of IPs saved as %windir%front_ip_list.txt.

The malware contains a hardcoded list of IPs, as well. These are the IPs of other infected systems which will be used at exchanging malware between them, creating a fully-fledged malware distribution system with peer-to-peer update capabilities. These IP lists are changed regularly and so infected system are always in contact and constantly exchanging malicious code.

Conclusion

Cyber-crooks have given a new dimension to their operations. This carefully-planned “sting operation” hunts the Facebook user down, refers it to a popular video-sharing website where all their friends are laughing at a clip starring themselves, then forces them to download a Trojan. After that, the Trojan ensures that the user gets completely stripped off of their security solution, in order for the malware to take full control of the severely compromised system. What happens then surpasses any reasonable thinking: the computer is used by the cyber-crooks for a wide range of purposes that are constantly expanded through the use of malicious plug-ins. All these happen while you think that you’re completely safe and that nothing can happen to you.

This article is based on the technical information provided courtesy of Doina Cosovan and Răzvan Benchea, BitDefender VirusAnalysts.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.