FAKEAV with LSP Routine

Trend Micro came across a new FAKEAV variant that does not only perform the usual fake alert routine, but also downloads an additional component—a .DLL file that is inserted into the Layered Service Provider (LSP) chain.
By inserting itself into the LSP chain, the said .DLL file will be loaded whenever an application uses Windows Socket (Winsock). LSP technology is often exploited by malware. In this case, this FAKEAV’s purpose is to prevent Web browsers from accessing certain sites.
The .DLL file’s code lists popularly accessed websites such as facebook.com, youtube.com, and myspace.com, among others. When executed, it checks whether the application that loaded it was any of the following, after which it will start blocking sites:

iexplore.exe
firefox.exe
svchost.exe

It replaces the HTML content of the accessed site with the one shown below.

It will only allow the users access if the registry key, HKEY_CURRENT_USER\Software\IS2010, exists in their systems. However, the said key will only exist if the FAKEAV application Internet Security 2010 (aka TROJ_FAKEAL.SMDO, TROJ_FAKEAL.SMDP, or TROJ_FAKEINIT.BC), is present on the affected system. Thus, this alert will continue to appear as long as the above FAKEAV variants have not been “installed” on the affected system.
With this new technique, this malware tends to cause more panic for users, as accessing any of the mentioned sites (continue reading...)