Another Fakealert variant resorts to displaying a set of deceptive messages that can be found within the executable, while disguising the file as a Microsoft deliverable. These deceptions are best described as “cheap”. Don’t fall for it.
Here is a screenshot of the file properties from “uoyzsydz.exe”, a file that attempts to open a browser on a victim’s system to download more shocking fakealert ad content. Notice the use of the phony Microsoft trademark, the techie-sounding file description “Parsing software fo XML Media”, and the official update-sounding version “188.8.131.526″:
At the time users were receiving and running the fresh new round of these released binaries, AV scanner detection was mostly non-existent, as it is missing for most of these new releases.
Unlike the xml parsers that Microsoft actually delivers, this module is packed simply with UPX and maintains fraudulent “shocker” strings to display to the user:
“Windows has detected spyware infection on your PC”
“Slow operation speed might have been caused by spyware.”
“Internet attack detected.”
“Somebody’s trying to infect your PC with spyware or harmful viruses.”
“Your computer is not protected against spyware.”
“Spyware has been detected on your computer! Click here to run a FULL SYSTEM SCAN to protect your data”
“VERY HIGH RISK [ 5 / 5 ]“.
It’s not a surprise that no strings for “LOW RISK [ 1 / 5 ], DON’T BOTHER SHELLING OUT HARD EARNED MONEY BECAUSE OF OUR FRAUDLENT CLAIMS” appear anywhere in this file.