Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Trojan Feigns Failures to Increase Rogue Defragger Sales

Created: 16 May 2011 09:02:43 GMT • Updated: 23 Jan 2014 18:21:08 GMT • Translations available: 日本語
Eoin Ward's picture
+1 1 Vote
Login to vote

Have you ever had a hard drive failure? I have. It happened to me in my first ever computer job.  I was about six months in, working on a small part of a big project, and we had a milestone in two days when it happened. I can remember the pit in my stomach as I checked our version control software for anything I had submitted. I searched files on drives D through Z, hoping that I may have copied files over. I checked floppy disk after floppy disk for the code I brought home that one weekend. I was petrified. I would have paid a week’s wages to recover those files.

Hard disk failures are a fact of life in the tech world. It’s something many of us have experienced, and not with fond memories. Trojan.FakeAV writers are aware of this, and the end of last year saw a move by some into the creation of fake hard disk scanners and defragmentation tools, which we covered in Fake Disk Cleanup Utilities: The Ruse. In this blog we are going to look at Trojan.Fakefrag. What sets this apart from standard fake disk cleanup utilities is that the Trojan makes changes on the computer and displays messages that make it appear as though the hard disk is failing. Then it drops a member of the UltraDefragger family called Windows Recovery, which offers to repair these disk errors for a mere $79.50!

We’ve put together a short screencast that takes you through the experience.

Trojan.Fakefrag is essentially a wrapper around UltraDefragger.  Its aim is to increases the likelihood of you purchasing a copy of UltraDefragger by craftily convincing you that your hard drive is failing. It attempts to do this by doing the following:

  • It fakes hardware failure messages, such as this:
  • It moves all the files in the "All Users" folder to a temporary location and hides files in the "Current User" folder. This makes it look like you have lost all the files on your desktop.
  • It stops you from changing your background image.
  • It disables the Task Manager.
  • It sets both the “HideIcons” and “Superhidden” registry entries to give the impression that more icons have been deleted.

It does a really convincing job of making it appear as though something is wrong—the failure messages look just like something Windows would display. Plus, when it “deletes” files from your desktop, it does so in a very prominent way. (Given this is where I personally keep my really important stuff, seeing it suddenly disappear would certainly give me pause.)

It then "helpfully" displays a message recommending that you run a diagnostic utility on your computer, launches the Windows Recovery misleading application, and adds a link it on both your desktop and the start menu. The misleading application finishes the job, hoping that the victim will pull out their credit card for the $79.50 price tag.

I can’t remember how much I made a week in my first job, but $79.50 sounds like a bargain to recover your files. I still recall confiding in a senior developer, who directed me to the IT Administrator, who popped in a new hard drive, and then restored everything from back up while I calmed myself down. Fortunately with Trojan.Fakefrag all the files are still on your hard drive. A quick search will find anything you need—after you run an up-to-date antivirus scan to delete the Trojan of course.

Thanks to Ben Nahorney and Sean Kiernan.

Blog Entry Filed Under: