This application requires Javascript for optimal performance.

W32/FakeAlert.EI!tr - Released Jun 15, 2009 - Last Updated Jun 23, 2009

Alias/es

McAfee: FakeAlert-EI trojan, Sophos: Troj/Agent-KGL

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • The following file exists:
    • %SYSTEM%\sfcfiles.dat

    Detailed Analysis

    W32/FakeAlert.EI!tr is classified as a trojan.

    Trojans have capabilities such as remote access connection handling, performing Denial of Service (DoS) or Distributed DoS (DDoS) attacks, capturing keyboard input, deleting files or objects, or terminating processes.


  • It drops the following files:
    • %SYSTEM%\sfcfiles.dat
  • It adds the following registry:
    • key: HKLM\SYSTEM\CurrentControlSet\Services\sfc
    • value: Type, Enum
    • key: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SFC
    • value: Service, Class, ActiveService
    • data: sfc, LegacyDriver, sfc
  • It registers itself as a Windows service.

    • Recommended Action

      FortiGate Systems

    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

      FortiClient Systems

    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Reference: ID - 889967