Win32/FakeRean is 33 rogues in 1

Back in August 2009 we added a rogue called Win32/FakeRean to the list of families removed by MSRT. At the time, I wrote about how it used several different names, like Home Antivirus 2010 and PC Antispyware 2010, which all looked pretty much the same. This is a trick used by most modern rogues; I covered it in some detail in my presentation at Virus Bulletin conference last September.
Alongside the use of different names, we've seen some rogues introduce different versions for different operating systems. FakeRean now uses individual names and looks for Windows XP, Windows Vista and Windows 7; however, rather than distribute multiple versions for each of these three platforms, FakeRean's creators have taken an all-in-one approach.
The latest version of FakeRean chooses randomly from a list of 11 names each time it is installed. It then inserts a string into the name that is dependant on which version of Windows it is running on. The result is that a single version of the rogue can use any one of 33 different names:

Platform: Windows 7 Platform: WIndows Vista Platform: Windows XP
Win 7 Internet Security 2010 Vista Internet Security 2010 XP Internet Security 2010
Win 7 Internet Security Vista Internet Security XP Internet Security
Win 7 Antivirus Pro 2010 Vista Antivirus Pro 2010 XP Antivirus Pro 2010
Win 7 Antivirus Pro Vista Antivirus Pro XP Antivirus Pro
Win 7 Antivirus 2010 Vista Antivirus 2010 XP Antivirus 2010
Win 7 Antivirus Vista Antivirus XP Antivirus
Win 7 Defender 2010 Vista Defender 2010 XP Defender 2010
Win 7 Guardian Vista Guardian XP Guardian
Win 7 Guardian 2010 Vista Guardian 2010 XP Guardian 2010
Antivirus Win 7 2010 Antivirus Vista 2010 Antivirus XP 2010
Win 7 Antispyware 2010 Vista Antispyware 2010 XP Antispyware 2010


Along with each name comes a slightly different user interface to match, but for the most part they are very similar. Here is the fake scanner on Windows XP:

Fake scanner displayed by Win32/FakeRean on XP systems

This is what it looks like on Windows 7:

Fake scanner displayed by Win32/FakeRean on Windows 7 systems 

The exception is when it comes to interface elements that imitate parts of the operating system. On Windows XP, for example, FakeRean displays an imitation of Windows XP's Security Center:

Fake Windows Security Center displayed by Win32/FakeRean on systems running Windows XP 

 When running on Windows 7, it displays a fake copy of the Action Center:

Fake action center displayed by Win32/FakeRean on systems running Windows 7 

(Note that the above screenshots and the list of names are all from one sample of FakeRean, SHA1: 4fbd83a86dbefa058f3f33c4b950159b8882635a).
This is another example of the increasing sophistication of this type of malware. FakeRean has also introduced another way of ensuring it is automatically started. It modifies the registry to associate .exe files with its own executable, so the rogue is run whenever any program is launched. Unlike other rogues, such as Win32/FakeScanti, it doesn't just use this technique to block other programs from running, but if the rogue is removed without restoring the registry then .exe files can no longer be run. The EXE file extension needs to be re-associated in order to restore normal functionality. Please see our encyclopedia entry for further detail.
-Hamish O'Dea

Comments (0)

Skip to main content