SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT

Fake Desktop Utilities on the rise (June 8, 2011)


SonicWALL UTM Research team has observed a rise in fake desktop utility malware in the wild. A new fake windows recovery malware is making the rounds through drive-by downloads. We have observed other variants before but this variant employs some new tactics such as disabling the task manager, hiding user programs and files by modifying file attributes, hiding start menu items and disabling multiple operating system features.

As seen in the past with other fake utilities, it attempts to scare the user with fake errors and tries to convince the user to buy the product in order to fix those errors. It uses a fake icon and file name to masquerade as a legitimate file as seen below:


It performs the following activities:

  • It creates a copy of itself in the following location
    • AppData%\uaaiHfWFhq.exe
  • It reports new infection to a remote server
    • GET /404.php?type=stats&affid=508&subid=new02&awok HTTP/1.1
  • It creates the following registry entry to ensure infection on reboot
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\uaaiHfWFhq:"%AppData%\uaaiHfWFhq.exe"
  • It executes the following commands in the background to modify the file attributes to be hidden
    • attrib +h "C:\DocumentsandSettings\AllUsers\StartMenu\*.*"
    • attrib +h "C:\DocumentsandSettings\Administrator\*.*"
    • attrib +h "C:\*.*"
  • It moves contents of start menu from "All Users\Start Menu\Programs" to "%Temp%\smtmp\1"
  • It modifies the following registry values to disable various features
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
      - Disables the task manager
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
      - Disables viewing of protected operating system files
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
      - Disables viewing of hidden files
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop
      - Hides desktop icons
    • HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Download\CheckExeSignatures
      - Disables warning for downloaded software from untrusted publishers
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformation
      - Disables preservation of zone information in downloaded and attached files

Here are some screenshots of the fake utility in action:

It generates fake warnings:


It simulates a scan and displays fake error messages:



If the user proceeds to buy the advanced module it displays the following screen asking for credit card and personal information:


SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: FakeSysdef (Trojan)
  • GAV: FakeSysdef.A (Trojan)
  • GAV: Fakesysdef.BDA (Trojan)
  • GAV: Fakesysdef.BDB (Trojan)
  • GAV: Fakesysdef.BDC (Trojan)
  • GAV: Fakesysdef.BDD_2 (Trojan)
  • GAV: Fakesysdef.BDE (Trojan)
  • GAV: Dapato.AR (Trojan)
  • GAV: Dapato.D (Trojan)

Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
© 2020 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 15.3 | S1MSW03