Back in August 2009 we added a rogue called Win32/FakeRean to the list of families removed by MSRT. At the time, I wrote about how it used several different names, like Home Antivirus 2010 and PC Antispyware 2010, which all looked pretty much the same. This is a trick used by most modern rogues; I covered it in some detail in my presentation at Virus Bulletin conference last September.
Alongside the use of different names, we’ve seen some rogues introduce different versions for different operating systems. FakeRean now uses individual names and looks for Windows XP, Windows Vista and Windows 7; however, rather than distribute multiple versions for each of these three platforms, FakeRean’s creators have taken an all-in-one approach.
The latest version of FakeRean chooses randomly from a list of 11 names each time it is installed. It then inserts a string into the name that is dependant on which version of Windows it is running on. The result is that a single version of the rogue can use any one of 33 different names:
|Platform: Windows 7||Platform: WIndows Vista||Platform: Windows XP|
|Win 7 Internet Security 2010||Vista Internet Security 2010||XP Internet Security 2010|
|Win 7 Internet Security||Vista Internet Security||XP Internet Security|
|Win 7 Antivirus Pro 2010||Vista Antivirus Pro 2010||XP Antivirus Pro 2010|
|Win 7 Antivirus Pro||Vista Antivirus Pro||XP Antivirus Pro|
|Win 7 Antivirus 2010||Vista Antivirus 2010||XP Antivirus 2010|
|Win 7 Antivirus||Vista Antivirus||XP Antivirus|
|Win 7 Defender 2010||Vista Defender 2010||XP Defender 2010|
|Win 7 Guardian||Vista Guardian||XP Guardian|
|Win 7 Guardian 2010||Vista Guardian 2010||XP Guardian 2010|
|Antivirus Win 7 2010||Antivirus Vista 2010||Antivirus XP 2010|
|Win 7 Antispyware 2010||Vista Antispyware 2010||XP Antispyware 2010|
Along with each name comes a slightly different user interface to match, but for the most part they are very similar. Here is the fake scanner on Windows XP:
This is what it looks like on Windows 7:
The exception is when it comes to interface elements that imitate parts of the operating system. On Windows XP, for example, FakeRean displays an imitation of Windows XP’s Security Center:
When running on Windows 7, it displays a fake copy of the Action Center:
(Note that the above screenshots and the list of names are all from one sample of FakeRean, SHA1: 4fbd83a86dbefa058f3f33c4b950159b8882635a).
This is another example of the increasing sophistication of this type of malware. FakeRean has also introduced another way of ensuring it is automatically started. It modifies the registry to associate .exe files with its own executable, so the rogue is run whenever any program is launched. Unlike other rogues, such as Win32/FakeScanti, it doesn’t just use this technique to block other programs from running, but if the rogue is removed without restoring the registry then .exe files can no longer be run. The EXE file extension needs to be re-associated in order to restore normal functionality. Please see our encyclopedia entry for further detail.