W32/FakeAlert.EI!tr

Alias/esMcAfee: FakeAlert-EI trojan, Sophos: Troj/Agent-KGL
Release DateJun 15, 2009
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.202
Description

Visible Symptoms

  • The following file exists:
    • %SYSTEM%\sfcfiles.dat

    Detailed Analysis

    W32/FakeAlert.EI!tr is classified as a trojan.

    Trojans have capabilities such as remote access connection handling, performing Denial of Service (DoS) or Distributed DoS (DDoS) attacks, capturing keyboard input, deleting files or objects, or terminating processes.


  • It drops the following files:
    • %SYSTEM%\sfcfiles.dat
  • It adds the following registry:
    • key: HKLM\SYSTEM\CurrentControlSet\Services\sfc
    • value: Type, Enum
    • key: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SFC
    • value: Service, Class, ActiveService
    • data: sfc, LegacyDriver, sfc
  • It registers itself as a Windows service.

    • Description Last Updated Date: Jun 23, 2009
    Reference: ID - 889967