Win32:Fasec
Win32:Fasec is a stealing trojan horse
| Summary | |
|---|---|
| Type | Trojan horse, rogue anti-malware |
| Aliases | W32/FakeAlert, Downloader.Zlob, Trojan.Win32.DNSChanger, Trojan.FakeAV |
| Platform | Windows |
| Known locations | *:\resycled, %WINDIR%\system32 |
Description:
Win32:Fasec is a trojan horse propagating itself as an anti-malware product or as some interesting type of warez (keygens for well known products). It has its own complex domain system and also uses public download services such as rapidshare. Inexperienced users can be fooled by the nice GUI and fake virus warnings and may send money to the authors of this malware, who ask for payment to fix these "infections". Once infected, this trojan drops a rootkit into the \system32\drivers folder under a randomly generated name and places its libraries in the \system32 folder. Older variants of this malware family dropped their binaries into the \resycled folder. Some new versions of this trojan horse are detected as Win32:Falder [Trj].
Detection/Removal
The rootkit is detected as Win32:FaRoot [Rtk] and avast! is able to remove it through a boot-time scan. To get rid of this infection, update your VPS to the latest version and schedule a boot-time scan. Then move all related files to the virus chest.
