You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard

FakeWindows.A

 
Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

FakeWindows.A passes itself off as the activation process of Windows XP (MSOOBE.EXE) which is used to prevent that a Windows product could be used as pirate software.

FakeWindows.A carries out the following actions:

  • When it is run, it copies itself to the system with the name MSOOBE32.EXE and is deleted from the path where it has been run.
  • When the computer is restarted, a warning that seems to be from Windows is displayed on screen, requiring users to activate their copy of Windows in order to prevent the use of pirate software:



    Besides, a piece of text is enhanced which says that users will be required their banking details, but their credit card will not be charged.
  • If users decide to ignore this request and select the option No, I will do it later, and then click the Next button, the computer will be turned off.
  • If users decide to activate Windows and clicks the Next button, a window is opened with several fields to fill in and, among them, banking details:

  • Once entered, a window is displayed informing users that the information is being checked:

  • After a while, a connection error message is displayed:

  • If the Reintentar button is clicked, the data is checked again and the error message is also displayed.
  • If the button Cancelar is clicked, the computer will be blocked.

Infection strategy 

FakeWindows.A creates the file MSOOBE32.EXE, which is a copy of the Trojan, in the Windows system directory.

The original Windows file is actually called MSOOBE.EXE and is located in the folder oobe of the Windows system directory.

 

FakeWindows.A creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    %sysdir%\msoobe32.exe
    where %sysdir% is the Windows system directory.
  • HKEY_CURRENT_USER\ S-1-21-790525478-1078081533-839522115-500\ SOFTWARE\ Microsoft\ windows\ CurrentVersion\ Run
    %sysdir%\msoobe32.exe
    By creating these entries, FakeWindows.A ensures that it is run whenever Windows is started.

Means of transmission 

FakeWindows.A reaches the computer in a file with the name MS00BE32.EXE and which has the icon of some keys:

However, FakeWindows.A does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTPIRC channels, peer-to-peer (P2P) file sharing networks, etc.

Further Details  

FakeWindows.A is 408,064 bytes in size.