Submission Summary:

What's been foundSeverity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.


Technical Details:


Possible Security Risk

Security RiskDescription
Trojan.FakeAlert Trojan.FakeAlert will hijack the desktop background with an image alerting the user that their computer system has been infected with spyware. It also changes some settings of windows which include:- disabling permissions for the user to change the background image and setting the active desktop to 'show web content'. It is usually installed in conjunction with a rogue anti-spyware application.

Threat CategoryDescription
A code with the rootkit-specific techniques designed to hide the software presence in the system


File System Modifications

#Filename(s)File SizeFile HashAlias
1 %Temp%\000005cd 86,016 bytes MD5: 0x92DBBCBC5565302A724FB2D0F42ADF94
SHA-1: 0xB860CE20A1A982C36B00C0DBE2336ECBCC20517C
Trojan:Win32/Alureon.CO [Microsoft]
2 %Temp%\a.dat 22,168 bytes MD5: 0x8853B80928C70D90B02E8CD066948DA0
SHA-1: 0xFD129FEB1084EA01DDBDDEB40D4FBC5B9C264790
(not available)
3 %Temp%\Alf.exe
215,040 bytes MD5: 0x7B4EAB4536A35EFB819A97D683E352B5
SHA-1: 0xA875DB9505166AE347F8180FCEC92EB47825E595
Mal/FakeDouf-B [Sophos]
4 %Temp%\Alg.exe 216,576 bytes MD5: 0x229C38F0520D662976E10F624A4B3B8C
SHA-1: 0xD7E53DEF17FB49AC83562DE485471E2A2F2ADDE3
Mal/FakeDouf-B [Sophos]
5 %System%\spool\prtprocs\w32x86\00005495.tmp 86,016 bytes MD5: 0xE754548482656327A2949155714BE388
SHA-1: 0xFFE322A0CA1993AB736C4BCE3DAA8662D3872AE4
Trojan:Win32/Alureon.CO [Microsoft]
6 %Windir%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job 334 bytes MD5: 0x25035EC7C914D1C46D2929854A5358DA
SHA-1: 0xB93B2A6ABB5E726C11BB5CE0536507A1E0DBF937
(not available)
7 %Windir%\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job 294 bytes MD5: 0xE216D79B3D6CCDA8473BDDF635E6C0DB
SHA-1: 0x965289179E770A7BF7F097DB4A9C2155F5790DF6
(not available)
8 %Windir%\Temp\00005dd1.sys 29,184 bytes MD5: 0xFCA53E3D28357DF3A647D4C2E188B471
SHA-1: 0xAACDF955D79F348212A6562C3F60FDCF24C5C96B
Rootkit.Win32.Agent.akgh [Kaspersky Lab]
Trojan:WinNT/Alureon.G [Microsoft]
Trojan.WinNT.Alureon [Ikarus]


Memory Modifications

Process NameProcess FilenameMain Module Size
Alg.exe%Temp%\alg.exe622,592 bytes
msa.exe%Windir%\msa.exe520,192 bytes


Registry Modifications


Other details

1064UDPmsa.exe (%Windir%\msa.exe)
1085TCPmsa.exe (%Windir%\msa.exe)
1095TCPmsa.exe (%Windir%\msa.exe)
1096TCPmsa.exe (%Windir%\msa.exe)
1099TCPmsa.exe (%Windir%\msa.exe)
1100TCPmsa.exe (%Windir%\msa.exe)
1101TCPmsa.exe (%Windir%\msa.exe)
1108TCPmsa.exe (%Windir%\msa.exe)
1109TCPmsa.exe (%Windir%\msa.exe)
1110TCPmsa.exe (%Windir%\msa.exe)
1116TCPmsa.exe (%Windir%\msa.exe)
1120TCPmsa.exe (%Windir%\msa.exe)
1122TCPmsa.exe (%Windir%\msa.exe)
1123TCPmsa.exe (%Windir%\msa.exe)
1125TCPmsa.exe (%Windir%\msa.exe)
1127TCPmsa.exe (%Windir%\msa.exe)
1128TCPmsa.exe (%Windir%\msa.exe)
1134TCPmsa.exe (%Windir%\msa.exe)
1139TCPmsa.exe (%Windir%\msa.exe)
1141TCPmsa.exe (%Windir%\msa.exe)

Remote HostPort Number



All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2015 ThreatExpert. All rights reserved.