TROJ_FRAUDLO.HJ
Windows 2000, XP, Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This Trojan adds certain registry entries to disable the Task Manager. This action prevents users from terminating the malware process, which can usually be done via the Task Manager.
It displays fake alerts that warn users of infection. It also displays fake scanning results of the affected system. It then asks for users to purchase it once scanning is completed. If users decide to purchase the rogue product, users are directed to a certain website asking for sensitive information, such as credit card numbers.
TECHNICAL DETAILS
Installation
This Trojan drops the following copies of itself into the affected system:
- %system root%\Documents and Settings\All Users\Application Data\{random name}.exe
Autostart Technique
This Trojan adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random name} = %system root%\Documents and Settings\All Users\Application Data\{random name}.exe
Other System Modifications
This Trojan modifies the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Download
CheckExeSignatures = "no"
(Note: The default value data of the said registry entry is "yes".)
It adds the following registry entries to disable the Task Manager:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
DisableTaskMgr = 1
It modifies the following registry entries to hide files with Hidden attributes:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = 0
(Note: The default value data of the said registry entry is 1.)
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = 0
(Note: The default value data of the said registry entry is 1.)
Rogue Antivirus Routine
This Trojan displays fake alerts that warn users of infection. It also displays fake scanning results of the affected system. It then asks for users to purchase it once scanning is completed. If users decide to purchase the rogue product, users are directed to a certain website asking for sensitive information, such as credit card numbers.