TROJ_FAKEAV.BUTH

This Trojan may be dropped by other malware.

It does not have any propagation routine.

It does not have any backdoor routine.

When users agree to buy the software, it connects to a certain URL. It displays fake alerts that warn users of infection. It also displays fake scanning results of the affected system. It then asks for users to purchase it once scanning is completed. If users decide to purchase the rogue product, users are directed to a website asking for sensitive information, such as credit card numbers. It displays a window where users can purchase this fake antivirus program.

Arrival Details

This Trojan may be dropped by the following malware:

• TROJ_DLOADR.BUTH

Installation

This Trojan drops the following file(s)/component(s):

• {All Users' Profile}\Application Data\pcdfdata\app.ico
• {All Users' Profile}\Application Data\pcdfdata\defs.bin - contains downloaded malware information
• {All Users' Profile}\Application Data\pcdfdata\support.ico
• {All Users' Profile}\Application Data\pcdfdata\uninst.ico
• %Desktop%\Security Defender.lnk
• %Start Menu%\Programs\Security Defender\Remove Security Defender.lnk
• %Start Menu%\Programs\Security Defender\Security Defender Help and Support.lnk
• %Start Menu%\Programs\Security Defender\Security Defender.lnk

(Note: %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\Desktop on Windows Vista and 7.. %Start Menu% is the current user's Start Menu folder, which is usually C:\Windows\Start Menu or C:\Documents and Settings\{User name}\Start Menu on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu on Windows Vista and 7.)

It creates the following folders:

• %Start Menu%\Programs\Security Defender

(Note: %Start Menu% is the current user's Start Menu folder, which is usually C:\Windows\Start Menu or C:\Documents and Settings\{User name}\Start Menu on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu on Windows Vista and 7.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Global\wdshield

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
pcdfsvc = "{All Users' Profile}\Application Data\pcdfdata\{TROJ_DLOADR.BUTH file name}.exe /min"

Other System Modifications

This Trojan adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
pcdfdata

HKEY_CLASSES_ROOT\.exe\DefaultIcon

HKEY_CLASSES_ROOT\.exe\shell

HKEY_CLASSES_ROOT\.exe\shell\
open

HKEY_CLASSES_ROOT\.exe\shell\
open\command

HKEY_CLASSES_ROOT\.exe\shell\
runas

HKEY_CLASSES_ROOT\.exe\shell\
runas\command

HKEY_CURRENT_USER\Software\Classes\
.exe

HKEY_CURRENT_USER\Software\Classes\
.exe\shell

HKEY_CURRENT_USER\Software\Classes\
.exe\shell\open

HKEY_CURRENT_USER\Software\Classes\
.exe\shell\open\
command

HKEY_CURRENT_USER\Software\Classes\
.exe\shell\runas

HKEY_CURRENT_USER\Software\Classes\
.exe\shell\runas\
command

It adds the following registry entries:

HKEY_CLASSES_ROOT\.exe\DefaultIcon
{Default} = "%1"

HKEY_CLASSES_ROOT\.exe\shell\
open\command
{Default} = ""{All Users' Profile}\Application Data\pcdfdata\{TROJ_DLOADR.BUTH file name}.exe" /ex "%1" %*"

HKEY_CLASSES_ROOT\.exe\shell\
open\command
IsolatedCommand = ""%1" %*"

HKEY_CLASSES_ROOT\.exe\shell\
runas\command
{Default} = ""%1" %*"

HKEY_CLASSES_ROOT\.exe\shell\
runas\command
IsolatedCommand = ""%1" %*"

HKEY_CURRENT_USER\Software\Classes\
.exe
{Default} = "4g"

HKEY_CURRENT_USER\Software\Classes\
.exe Content
Type = "application/x-m"

HKEY_CURRENT_USER\Software\Classes\
.exe\DefaultIcon
{Default} = "%1"

HKEY_CURRENT_USER\Software\Classes\
.exe\shell\open\
command
{Default} = ""{All Users' Profile}\Application Data\pcdfdata\{TROJ_DLOADR.BUTH file name}.exe" /ex "%1" %*"

HKEY_CURRENT_USER\Software\Classes\
.exe\shell\open\
command
IsolatedCommand = ""%1" %*"

HKEY_CURRENT_USER\Software\Classes\
.exe\shell\runas\
command
{Default} = ""%1" %*"

HKEY_CURRENT_USER\Software\Classes\
.exe\shell\runas\
command
IsolatedCommand = ""%1" %*"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
pcdfdata
DisplayName = "Security Defender"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
pcdfdata
InstallLocation = "{All Users' Profile}\Application Data\pcdfdata"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
pcdfdata
UninstallString = "{All Users' Profile}\Application Data\pcdfdata\{TROJ_DLOADR.BUTH file name}.exe /tout"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
pcdfdata
DisplayIcon = "{All Users' Profile}\Application Data\pcdfdata\{TROJ_DLOADR.BUTH file name}.exe,0"

It modifies the following registry entries:

HKEY_CLASSES_ROOT\.exe
{Default} = "4g"

(Note: The default value data of the said registry entry is exefile.)

HKEY_CLASSES_ROOT\.exe
Content Type = "application/x-m"

(Note: The default value data of the said registry entry is application/x-msdownload.)

Propagation

This Trojan does not have any propagation routine.

Backdoor Routine

This Trojan does not have any backdoor routine.

Rogue Antivirus Routine

This Trojan displays the following fake alerts:

When users agree to buy the software, it connects to the following URL to continue the purchase:

• https://{BLOCKED}.{BLOCKED}ng.com/billing/key/?uid={value}

It displays fake alerts that warn users of infection. It also displays fake scanning results of the affected system. It then asks for users to purchase it once scanning is completed. If users decide to purchase the rogue product, users are directed to the following website asking for sensitive information, such as credit card numbers:

• https://{BLOCKED}.{BLOCKED}ng.com/html/billing/?uid={value}

The following window is displayed for users to purchase the fake antivirus program:

It displays the following window and pretends to scan the system:

NOTES:

This Trojan connects to the following URL to let the remote user know that the download was successful:

• http://{BLOCKED}ologyipadinitiating.org/api/ping?stage={number}&uid={random values}

It connects to the following URL to let the remote user know that TROJ_FAKEAV.BUTH has been successfully executed:

• http://{BLOCKED}ologyipadinitiating.org/postload2/?uid={random values}

It connects to the URL to get updated list of virus information:

• http://{BLOCKED}ologyipadinitiating.org/html/viruslist/?uid={random values}

However, the said sites are inaccessible during time of analysis.

It does not have rootkit capabilities.

It does not exploit any vulnerability.