Trojan.FakeAlert.CYD (BitDefender), Rogue:Win32/FakeWuav (Microsoft), Trojan-FakeAV.Win32.Agent.rob (Kaspersky), Trojan-Downloader.Win32.Cutwail.bw (v) (VIPRE), BackDoor.Bulknet.713 (DrWeb), Gen:Variant.Symmi.39079 (B) (Emsisoft), Artemis!6882C02D396D (McAfee), Trojan.Gen (Symantec), Win32.SuspectCrc (Ikarus), Trojan.FakeAlert.CYD (FSecure), SHeur4.AKLO (AVG), Win32:Malware-gen (Avast), TROJ_FAKEAV.IJG (TrendMicro), Trojan.FakeAlert.CYD (AdAware), FakeAVWinUltraAntivirus.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan, Fake-AV
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 6882c02d396d287ddfb3717bb717bead
SHA1: 6b624c2f75cafea9a811c3333f1d1c9e4aa5c2b9
SHA256: 51a0624bf63d13e7779c05839399bbe998aa8d6dcc7de44d1f0f2e4f3af67d73
SSDeep: 24576:0KNSUgJFquxjjhSW0L a097w8UNL12k3TruoEMtRHwhjcUX5FDRtI79RDUhTD:0pJouxjhT1N97JUek3PB7tlGgsD7I7L0
Size: 1315776 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-07-10 03:04:37
Analyzed on: WindowsXP SP3 32-bit
Summary: Fake-AV. FakeAV programs generate exaggerated threat reports on the compromised computer then ask the user to purchase a registered version to remove those reported threats.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Fake-AV creates the following process(es):
%original file name%.exe:404
The Fake-AV injects its code into the following process(es):
svchost.exe:364
File activity
The process %original file name%.exe:404 makes changes in the file system.
The Fake-AV creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Cookies\Current_User@ww9.taronjax[1].txt (174 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%System%\drivers\19044.sys (1333 bytes)
Registry activity
The process %original file name%.exe:404 makes changes in the system registry.
The Fake-AV creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 19 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 FF E1 A1 54 51 9A 48 66 3F D1 32 DC 96 D3 A6"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\WinUltraAntivirus]
"Options" = "B0 00 00 00 76 47 FD 15 10 DA 60 08 76 BE BD 36"
The Fake-AV modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Fake-AV modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Fake-AV modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Fake-AV adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"wazibtuqtugp" = "c:\%original file name%.exe"
The Fake-AV deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Screenshot
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:404
- Delete the original Fake-AV file.
- Delete or disinfect the following files created/modified by the Fake-AV:
%Documents and Settings%\%current user%\Cookies\Current_User@ww9.taronjax[1].txt (174 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%System%\drivers\19044.sys (1333 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"wazibtuqtugp" = "c:\%original file name%.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 3648 | 4096 | 4.61957 | e7cb61205d99306a100d26d924dcfe03 |
| .rdata | 8192 | 348 | 512 | 2.23719 | e671bb83b34c7d2e3af6fb231f2f9b51 |
| .data | 12288 | 1477 | 512 | 3.9493 | d838ba631da4f2956804ff48ec3e9068 |
| .rsrc | 16384 | 1306936 | 1307136 | 5.54409 | f40917c69f6f202e2dbe1e683c1776b1 |
| .reloc | 1327104 | 1224 | 1536 | 0.905678 | e579c52409435df64dd34786b7001808 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://taronjax.biz/ | |
| hxxp://ww9.taronjax.biz/ |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: ww9.taronjax.biz
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 25 Apr 2014 02:18:59 GMT
Server: Apache
Set-Cookie: vsid=912vr1459379398312074; expires=Wed, 24-Apr-2019 02:18:59 GMT; path=/; domain=ww9.taronjax.biz; httponly
X-Frame-Options: DENY
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKrfIMFkSaoTSqKmC BrghK0CpDHc0MuVzmMHin8LIORhpXbped iYhSnZurWnEO0zcKcVIrzp026LVc5pMB9bUCAwEAAQ==_PiQCuGJBQc444nooSLp6f0y6KsoCWVwp30z2b2uoiR dBADcjhoo37DYNt9OXDhtta 3pavmcwXhDUY2woIo/g==
Vary: Accept-Encoding,User-Agent
Content-Length: 1674
Keep-Alive: timeout=5, max=126
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKrfIMFkSaoTSqKmC BrghK0CpDHc0MuVzmMHin8LIORhpXbped iYhSnZurWnEO0zcKcVIrzp026LVc5pMB9bUCAwEAAQ==_PiQCuGJBQc444nooSLp6f0y6KsoCWVwp30z2b2uoiR dBADcjhoo37DYNt9OXDhtta 3pavmcwXhDUY2woIo/g==" >..<head>.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>ww9.taronjax.biz</title>.. <style type="text/css">*{margin:0; padding:0; border: 0; overflow:hidden} html, body {height: 100%;}</style>..</head>..<body width="100%" height="100%">..<noscript><meta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.php?_dnm=ww9.taronjax.biz&_cfrg=1&_drid=as-drid-2785238728561422" /><center><p style="padding:1em; font-size:1.5em;">For search results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=ww9..
POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Content-Length: 32
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: taronjax.biz
Connection: Keep-Alive
Cache-Control: no-cache
....rn....[*..h
q.@.......m..H
HTTP/1.1 302 Found
Server: nginx
Date: Fri, 25 Apr 2014 01:52:12 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.4.4-14 deb7u8
Location: hXXp://ww9.taronjax.biz
Vary: Accept-Encoding
Content-Length: 0
HTTP/1.1 302 Found..Server: nginx..Date: Fri, 25 Apr 2014 01:52:12 GMT..Content-Type: text/html..Connection: keep-alive..X-Powered-By: PHP/5.4.4-14 deb7u8..Location: hXXp://ww9.taronjax.biz..Vary: Accept-Encoding..Content-Length: 0..
Map
The Fake-AV connects to the servers at the folowing location(s):
Strings from Dumps
svchost.exe_364:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
operator
operator
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
2F955169-0B34-49c5-B512-9CAF1D995335
2F955169-0B34-49c5-B512-9CAF1D995335
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
SHLWAPI.dll
SHLWAPI.dll
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCreateKeyA
RegCreateKeyA
RegOpenKeyA
RegOpenKeyA
RegCloseKey
RegCloseKey
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
GetCPInfo
GetCPInfo
zcÁ
zcÁ
.hS *
.hS *
\^#%f
\^#%f
%@.OV;
%@.OV;
%7XV®1
%7XV®1
KERNEL32.DLL
KERNEL32.DLL
mscoree.dll
mscoree.dll
svchost.exe_364_rwx_04000000_00018000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
operator
operator
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
2F955169-0B34-49c5-B512-9CAF1D995335
2F955169-0B34-49c5-B512-9CAF1D995335
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
SHLWAPI.dll
SHLWAPI.dll
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCreateKeyA
RegCreateKeyA
RegOpenKeyA
RegOpenKeyA
RegCloseKey
RegCloseKey
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
GetCPInfo
GetCPInfo
zcÁ
zcÁ
.hS *
.hS *
\^#%f
\^#%f
%@.OV;
%@.OV;
%7XV®1
%7XV®1
KERNEL32.DLL
KERNEL32.DLL
mscoree.dll
mscoree.dll