arrow_back
search
close

TROJ_FAKEAV.OG

October 09, 2012
 Analysis by: Kathleen Notario
 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW


This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

When users agree to buy the software, it connects to a certain URL.

  TECHNICAL DETAILS

File Size:

453,120 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

08 Sep 2011

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

  • %System Root%\Documents and Settings\All Users\Application Data\{random filename2}
  • %System Root%\Documents and Settings\All Users\Application Data\{random filename2}.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It drops the following copies of itself into the affected system:

  • %System Root%\Documents and Settings\All Users\Application Data\{random filename1}.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It creates the following folders:

  • %User Temp%\smtmp
  • %User Temp%\smtmp\1
  • %User Temp%\smtmp\2
  • %User Temp%\smtmp\3
  • %User Temp%\smtmp\4

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random filename} = %System Root%\Documents and Settings\All Users\Application Data\{random file name1}.exe

Other System Modifications

This Trojan adds the following registry entries:

HKEY_CURRENT_USER\Software
75fa38b7-8b94-4995-ad32-52e938867954 =

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
ActiveDesktop
NoChangingWallpaper = 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Associations
LowRiskFileTypes = /{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Attachments
SaveZoneInformation = 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoDesktop = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
DisableTaskMgr = 1

It modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Download
CheckExeSIgnatures = no

(Note: The default value data of the said registry entry is yes.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = 0

(Note: The default value data of the said registry entry is 1.)

Rogue Antivirus Routine

When users agree to buy the software, it connects to the following URL to continue the purchase:

  • {BLOCKED}ought.org
  • {BLOCKED}rprise.org
  • {BLOCKED}wild.org
  • {BLOCKED}wone.org
  • {BLOCKED}zoo.org

NOTES:

This malware moves specific files in the following directories: Operating System major version is 5 (XP, 2000, 2003):
From:%System Root%\Documents and Settings\All Users\Start Menu\
To: %User Temp%\smtmp\1\
From: %User Profile%\Application Data\Microsoft\Internet Explorer\Quick
Launch\
To: %User Temp%\smtmp\2\
From: %System Root%\Documents and Settings\All Users\Desktop\
To: %User Temp%\smtmp\4\
Operating System major version is 6 (Vista, 2008, 7)
From: %System Root%\ProgramData\Start Menu\
To: %User Temp%\smtmp\1\
From: %User Profile%\Application Data\Roaming\Microsoft\Internet Explorer\Quick Launch\
To: %User Temp%\smtmp\2\
From: %User Profile%\Application Data\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\
To: %User Temp%\smtmp\3\
From: %System Root%\ProgramData\Desktop\
To: %User Temp%\smtmp\4\

It also modifies the attributes of files found in the affected system into Hidden, to trick the users that the files have been deleted.