How Does it Spread?
This trojan spreads through Facebook Chat. It shows you online and sends a message to one of your friend. If it’s just a link, you can easily understand that it’s a spam. So it sends you a “Hi” first and waits for you reply. Irrespective of what you reply, it sends you a link shortened using tinyurl.com, which works when clicked once. If you reply to the message which contains the link, it would say “I’ll be back”. Check the screenshot below to see it in action!
That’s how I got the link, I just opened it and I could see “[My Name] is in the leading role. Shocking Performance!” in a page similar to YouTube and comments from my Facebook friends below the video. This page would make you believe that its not fake. But I suggest you to search for a video with this title in YouTube or check the URL of the page before you proceed.
[Click to see Full Size Image]
The video is unavailable and it asks you to upgrade your Adobe Flash Player with a link to let you Download it from Adobe. Clicking on that link prompts you to download an executable file which is the Trojan.
How Does it Infect Your PC
After you download the Trojan, you will be asked to reboot your system. When you reboot your system, your current anti virus is uninstalled is replaced with a fake anti virus program. This trojan is capable of replicating any other anti virus or online security software. Well, that got me tricking To know how dangerous it is, check out the technical details below from Virusnote.
Technical Details of Trojan.FakeAV.LVT
This trojan disables all security related applications and downloads several file from the Internet which are stored in the following locations:
The trojan acquires data and commands from a remote computer or the Internet. I could sense it as I got a message on my phone from Facebook which said “Your account was accessed from an unknown location but since you have login notifications enabled your account was not accessible”. Thanks to the login notifications I had enabled on Facebook. I suspected use of a keylogger software which runs in background and hence rang up a friend asking him to change my passwords.
How To Recover From This Trojan
If you are already infected with this virus and landed up here luckily, you can execute the following steps and check if your system is back to normal.
- Reset Windows Host Files
- If the above step does not work out, delete the following files which are created by the Trojan:
(Here %windir% refers to the location where you have installed Windows, for example: C:Windows)
- The Trojan also modifies various Registry values, in that case you can download a suitable Registry Cleaner which can easily be found by Googling.
- If nothing works out, you need to shut down your computer and boot from an anti-virus recovery cd. All anti-virus packages let you create a bootable disk which can be used when your system is completely infected and becomes useless.
- I also recommend installing Malwarebytes on your PC.
I really wonder where do these trojans originate from and why are they being spread? Any idea? I wish Facebook takes some action to curb these scams. Also share your experiences in comments if you have encountered this