This application requires Javascript for optimal performance.

W32/Fakealert.GIJ!tr - Released Mar 04, 2010 - Last Updated Mar 10, 2010

Alias/es

Trojan-Clicker.Win32.Vesloruki.drh (Kaspersky), FakeAlert-WwSec.c (McAfee), Adware/XPInternetSecurity2010 (Panda)

Visible Symptoms

  • The following file exists:

      %UserProfile%\Local Settings\Application Data\av.exe

  • It deletes itself from the current directory.

  • Possible firewall alert that an executable program attempts to connect to the Internet.

Detailed Analysis

This detection is for a rogue anti-spyware called Antivirus XP 2010 or XP Internet Security 2010. It imitates scanning the system for malwares and wrongly reports active malware detection. It deceives us to register or purchase the full version because only a registered copy offers a full range of features, including removing the reported malwares.


  • It creates a copy of itself as %UserProfile%\Local Settings\Application Data\av.exe

  • It adds the following registry entries:
    • key: HKCU\Software\Classes\.exe
    • value: (Default)
    • data: secfile
    • key: HKCU\Software\Classes\secfile\shell\open\command
    • value: (Default)
    • data: "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
  • It modifies the following registry:
    • key: HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command
    • value: (Default)
    • data: "%UserProfile%\Local Settings\Application Data\av.exe" /START "%Program Files%\Internet Explorer\iexplore.exe"
    • key: HKCU\Software\Classes\.exe\shell\open\command
    • value: (Default)
    • data: "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
    • key: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
    • value: Start
    • data: dword:4
    • key: HKLM\SOFTWARE\Microsoft\Security Center
    • value: AntiVirusDisableNotify; AntiVirusOverride; FirewallDisableNotify; FirewallOverride; UpdatesDisableNotify
    • data: dword:1

    Recommended Action

      FortiGate Systems

    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

      FortiClient Systems

    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Reference: ID - 1612010