When rogue security software uses multiple different names for itself, it's not especially noteworthy. In the past we have seen rogues that changed their names almost every day, and even a single rogue executable that could use one of 33 different names for itself.
After several months of calling themselves "Antivirus 8", recent variants of Rogue:Win32/FakeXPA have begun going by the name of "AVG Antivirus 2011."
This is not to be confused with the legitimate antivirus product from AVG – we’ve reached out to AVG, and they are aware the rogue is using their brand. FakeXPA's developers are hoping you will confuse it with the real AVG though, as they've even gone to the extent of borrowing AVG's logo for their own user interface.
The change of name and user interface caused us to examine this variant’s behavior in more detail, and update the description in our malware encyclopedia accordingly. While this behavior was common to most FakeXPA variants over quite a long time, it did come up with a method of interfering with the user's web browsing that I hadn't seen before. I'll talk about this more later.
As usual, the rogue bombards the user with a bewildering assortment of dialogs, popups, and balloons, such as those shown below. You can see more examples in the AVG Antivirus 2011 description.
Of course the desired outcome of all this is to intimidate, socially engineer, or just wear down, the user into paying money to make all these problems go away.
Rogues often attempt to hijack users' web browsing experience. This has the dual effect of both helping convince users that their systems are infected, and preventing them from accessing resources that might help them clean up their rogue problem. SmartScreen, available for IE8 and IE9, can often block the initial infection vector by blocking the compromised site. In the past, other rogues, including earlier variants of FakeXPA, have generally used DLLs, such as Browser Helper Objects or Netscape plugins, to interact with users' browsers. These new FakeXPA variants attempt to bypass the user's choice of browser altogether.
When it is first installed, FakeXPA places a copy of itself named iesafemode.exe into the system directory.
It then creates a registry entry to set iesafemode.exe as the debugger for a number of common web browsers, including Internet Explorer, Firefox, Opera, Chrome, and Safari. This registry entry is normally used by software debuggers. Its effect is that when a user attempts to run the program in question, a copy of the debugger will be launched instead, with the name of the program to be run passed to the debugger as a command line parameter. This allows the debugger to launch the program in question and begin debugging it.
However, in this case the registry entry does not point to a software debugger, but instead to the copy of the malware. So when a user attempts to launch any of these browsers, a copy of the malware will be run instead. Renaming the browser’s executable and running this instead allows it to be launched without interference from the malware.
When the malware is launched in this manner, it does not attempt to run the browser executable in question. Instead it displays its own version of a web browser. However, in this case the registry entry does not point to a software debugger, but instead to the copy of the malware. So when a user attempts to run iexplore.exe, a copy of the malware will be run instead.
When the malware is launched in this manner, it does not attempt to run the browser executable in question. Instead it displays its own version of a web browser.
It displays the following interface when it is first launched, where it pretends to be in "Emergency Mode" (note, there is no such thing as ‘Internet Explorer Emergency Mode’):
When the user visits a web page using this interface, it may be downloaded and rendered using the Internet Explorer libraries. But if the user attempts to visit a site that has been blacklisted by FakeXPA, such as a security-related site, it will display the following instead:
Notice how it changes the content of the address bar in an attempt to mislead the user into believing that the site had been blacklisted by Microsoft.
If you're in doubt about whether your antivirus solution is legitimate software or a fake, you can find links to the websites of many reputable antivirus vendors at http://www.microsoft.com/windows/antivirus-partners/. Microsoft Security Essentials detects and removes this threat – you can get it from http://www.microsoft.com/security_essentials. It offers comprehensive malware protection, it's free for genuine Windows users, and it won't bug you all the time.
--David Wood, MMPC