Threat Description

Fakerr

Details

Aliases:Fakerr, W32/Fakerr.A@mm, Gruel
Category: Malware
Type:
Platform: W32

Summary



Fakerr worm appeared in the middle of July 2003. The worm spreads itself in e-mails. It was also created to spread through Kazaa file sharing networks, but this routine has a bug. The worm has a dangerous payload - it can delete files on a hard drive and modify certain Registry values making Windows operating system unusable.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



Being run, the worm shows a fake error message. This fake error message looks like a real error messages displayed by Windows XP. After a user clicks a button on that fake error message the worm opens CD-ROM tray and then opens several Windows configuration windows that can be usually opened from Control Panel: display, add/remove programs, time/date properties and a few others. Finally it displays the following message:

kIlLeRgUaTe
 Your computer now is mine, Why? Because I didn't had nothing to
 do and I thought, why not make the evil? Remember NOW YOUR PC IS
 IN MY POWER Windows Sucks! I can't stand it anymore! Windows has
 always sucked. Wake up people! It's a scam! You don't need a
 faster computer. You need a better operating system. Microsoft
 continuingly makes money by selling you the latest and greatest
 Windows. The latest Windows version is always the most
 inefficient yet, slowing down your fast computer. Also, now you
 have to upgrade all your other software too because different
 Windows versions are not compatible with each other! A hidden
 cost not mentioned at all. It's part of the scam. Capitalism
 Sucks!, Communism Sucks. KILLERGUATE.

Then the worm copies itself with hidden attribute to the root folder of C: drive as RUNDLL32.EXE file and modifies startup keys for the following file extensions:

exe
 com
 bat
 pif
 hta
 ht

The worm also creates/modifies several Registry entries, that do not allow system logoff, closing of Explorer, opening Task Manager, locking of workstation and changing a password.

The worm spreads itself in e-mails to all addresses found in Outlook Address Book. An infected message looks like that:

Subject:

Symantec: New serious virus found

Body:

Norton Security Response: has detected a new virus in the
 Internet. For this reason we made this tool attachement, to
 protect your computer from this serious virus. Due to the number
 of submissions received from customers, Symantec Security
 Response has upgraded this threat to a Category 5 (Maximum ).

Attachment:

Norton_Symantec_Tool.exe

The worm tries to copy itelf as 'Norton 2003 Pro.exe' file to Kazaa P2P (peer-to-peer) client's shared folder, but there's an error in that routine and such an event never happens.

The worm has a dangerous payload. It can delete the following files from an infected hard drive:

C:\WINNT\system32\ntoskrnl.exe
 C:\WINNT\system32\command.com
 C:\WINNT\regedit.exe
 C:\windows\system32\ntoskrnl.exe
 C:\windows\system32\command.com
 C:\windows\regedit.exe
 C:\AUTOEXEC.bat
 C:\config.sys
 C:\WINNT\system32\*.exe
 C:\WINNT\system32\*.com
 C:\WINNT\system32\*.dll
 C:\WINNT\system32\*.ocx
 C:\windows\system32\*.dll
 C:\windows\system32\*.ocx
 C:\windows\system32\*.exe
 C:\windows\system32\*.com

Also the worm can delete all files from the following folders:

C:\WINNT\system
 C:\windows\system
 C:\WINNT\system32
 C:\windows\system32
 D:\


Detection


Detection of Fakerr worm is available in the following FSAV updates:
Database: 2003-07-16_03



Description Created: F-Secure Anti-Virus Research Team; July 16th, 2003


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More