Gen:Variant.Zbot.40 (BitDefender), Rogue:Win32/FakeRean (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), FraudTool.Win32.FakeRean.e (v) (VIPRE), Trojan.Fakealert.20509 (DrWeb), Gen:Variant.Zbot.40 (B) (Emsisoft), FakeAlert-Rena.c (McAfee), Trojan.FakeAV!gen69 (Symantec), Trojan.Fakeav (Ikarus), Gen:Variant.Zbot.40 (FSecure), FakeAlert (AVG), Win32:Renosa-G [Wrm] (Avast), TROJ_FAKEAL.SMQP (TrendMicro), Backdoor.Win32.PcClient.FD, Fake-AV.Win32.FakeRean.2.FD, Trojan.Win32.IEDummy.FD, FakeAVWin32FakeRean.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor, Fake-AV
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 8aa08f558416d865010282e43999daf3
SHA1: 4ab782ff83764eaf163267f1926a379bbb59cb8b
SHA256: 677ffa33712aed820a3d8386911b7b8f162b4d8d67c4305e715431bfd90b5c1f
SSDeep: 12288:zugvybZAxdnK3UuCXuLtqO7qkchOz41Rnxr UHYwqqRXDGU :zugabKdK3UKckc 4Xh/PqqR
Size: 507904 bytes
File type: DLL
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: F
Created at: 2001-10-19 23:03:58
Analyzed on: WindowsXP SP3 32-bit
Summary: Fake-AV. FakeAV programs generate exaggerated threat reports on the compromised computer then ask the user to purchase a registered version to remove those reported threats.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Fake-AV creates the following process(es):
imapi.exe:816
ilSyo.exe:404
regsvr32.exe:1288
The Fake-AV injects its code into the following process(es):
uyk.exe:564
rundll32.exe:1100
iexplore.exe:216
File activity
The process imapi.exe:816 makes changes in the file system.
The Fake-AV creates and/or writes to the following file(s):
%WinDir%\Temp\ihm6nvg8.TMP (146970 bytes)
The process uyk.exe:564 makes changes in the file system.
The Fake-AV creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\jd0304a8d3q3q1q3u (251 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jd0304a8d3q3q1q3u (251 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jd0304a8d3q3q1q3u (251 bytes)
%Documents and Settings%\%current user%\Templates\jd0304a8d3q3q1q3u (251 bytes)
The Fake-AV deletes the following file(s):
C:\8aa08f558416d865010282e43999daf3.dll (0 bytes)
The process ilSyo.exe:404 makes changes in the file system.
The Fake-AV creates and/or writes to the following file(s):
%System%\2p15x.dll (192 bytes)
The process regsvr32.exe:1288 makes changes in the file system.
The Fake-AV creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ilSyo.exe (192 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uyk.exe (1788 bytes)
The process iexplore.exe:216 makes changes in the file system.
The Fake-AV deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ilSyo.exe (0 bytes)
Registry activity
The process imapi.exe:816 makes changes in the system registry.
The Fake-AV creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 FE 25 27 64 D8 82 19 FD A1 4D 3D DA CF BE 39"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi]
"ControlFlags" = "1"
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi\ImapiSvc]
"BitNames" = " ImapiDebugError ImapiDebugWarning ImapiDebugTrace ImapiDebugInfo ImapiDebugX ImapiDebugSort"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi\ImapiSvc]
"Guid" = "8107d8e9-e323-49f5-bba2-abc35c243dca"
The process uyk.exe:564 makes changes in the system registry.
The Fake-AV creates and/or sets the following values in system registry:
[HKCU\Software\Classes\exefile\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\uyk.exe -a %1 %*"
[HKCU\Software\Classes\exefile\shell\runas\command]
"IsolatedCommand" = "%1 %*"
[HKCU\Software\Classes\exefile]
"(Default)" = "Application"
[HKCU\Software\Classes\.exe\shell\runas\command]
"IsolatedCommand" = "%1 %*"
[HKLM\SOFTWARE\Clients\StartMenuInternet]
"(Default)" = "IEXPLORE.EXE"
[HKCU\Software\Classes\exefile\shell\open\command]
"IsolatedCommand" = "%1 %*"
[HKCU\Software\Classes\.exe\shell\runas\command]
"(Default)" = "%1 %*"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
[HKCU\Software\Classes\exefile\shell\runas\command]
"(Default)" = "%1 %*"
[HKCU\Software\Classes\exefile]
"Content Type" = "application/x-msdownload"
[HKCU\Software\Classes\.exe\shell\open\command]
"IsolatedCommand" = "%1 %*"
[HKCU\Software\Classes\.exe]
"(Default)" = "exefile"
[HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\uyk.exe -a %Program Files%\Internet Explorer\iexplore.exe"
[HKCU\Software\Classes\exefile\DefaultIcon]
"(Default)" = "%1"
[HKCU\Software\Microsoft\Windows]
"Identity" = "2949954561"
[HKCU\Software\Classes\.exe\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\uyk.exe -a %1 %*"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 DF 55 AB EB BA FE 66 0A CA 95 8E B0 48 04 37"
[HKCU\Software\Classes\.exe\DefaultIcon]
"(Default)" = "%1"
[HKCU\Software\Classes\.exe]
"Content Type" = "application/x-msdownload"
To automatically run itself each time Windows is booted, the Fake-AV adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe" = "%System%\ctfmon.exe"
The process rundll32.exe:1100 makes changes in the system registry.
The Fake-AV creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 39 4F C8 68 13 2B CE 2C A8 4F 86 E4 FE 50 42"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The process ilSyo.exe:404 makes changes in the system registry.
The Fake-AV creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 94 B7 23 BA 7E A4 25 88 27 2C 47 6C 3B E5 DD"
[HKCR\CLSID\{750fdf0e-2a26-11d1-a3ea-080036587f03}\InProcServer32]
"ThreadingModel" = "Apartment"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCR\CLSID\{750fdf0e-2a26-11d1-a3ea-080036587f03}\InProcServer32]
"(Default)" = "%System%\2p15x.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer]
"6553e2ef" = "82 6F 8E DF 81 00 00 00 0C 02 3D 68 B9 7C 08 51"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
"6553e2ef" = "82 6F 8E DF 81 00 00 00 0C 02 3D 68 B9 7C 08 51"
The process regsvr32.exe:1288 makes changes in the system registry.
The Fake-AV creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 99 AE 72 8C F5 F9 B7 58 47 20 17 3F EB F4 7D"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
"UpdatesDisableNotify" = "1"
"FirewallOverride" = "1"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = "0"
"DoNotAllowExceptions" = "0"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
The following service is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess]
"Start" = "4"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
The process iexplore.exe:216 makes changes in the system registry.
The Fake-AV creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 22 1B 59 E4 8E C1 EE 82 87 BE 1B 9D B3 0C 91"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer]
"6553e2ef" = "99 69 E3 F9 34 01 00 00 0C 2E 18 68 03 E0 A7 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
"6553e2ef" = "99 69 E3 F9 34 01 00 00 0C 2E 18 68 03 E0 A7 01"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://vehyraceke.com/6bH3p Kx96fhtPen4w | 208.73.211.247 |
| ypyrezaba.com | 69.43.161.170 |
| utuhubolype.com | 69.43.161.170 |
| igotiroda.com | 208.73.211.247 |
| ydijajyb.com | 69.43.161.170 |
| ykilyxagesop.com | 208.73.211.230 |
| xibipijuxoj.com | Unresolvable |
| pubyhixasuhu.com | Unresolvable |
| curibygerulusi.com | Unresolvable |
| ygywiguxake.com | Unresolvable |
| gygokelara.com | Unresolvable |
| kepehukoc.com | Unresolvable |
| zizybilyxu.com | Unresolvable |
| zotaziweboxe.com | Unresolvable |
| jewarowydyni.com | Unresolvable |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
imapi.exe:816
ilSyo.exe:404
regsvr32.exe:1288 - Delete the original Fake-AV file.
- Delete or disinfect the following files created/modified by the Fake-AV:
%WinDir%\Temp\ihm6nvg8.TMP (146970 bytes)
%Documents and Settings%\All Users\Application Data\jd0304a8d3q3q1q3u (251 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jd0304a8d3q3q1q3u (251 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jd0304a8d3q3q1q3u (251 bytes)
%Documents and Settings%\%current user%\Templates\jd0304a8d3q3q1q3u (251 bytes)
%System%\2p15x.dll (192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ilSyo.exe (192 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uyk.exe (1788 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe" = "%System%\ctfmon.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.