Gen:Variant.FakeAlert.88 (BitDefender), Rogue:Win32/FakeRean (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Packed.2190 (DrWeb), Gen:Variant.FakeAlert.88 (B) (Emsisoft), FakeAlert-Rena.p (McAfee), Trojan.FakeAV!gen69 (Symantec), Trojan.Fakealert (Ikarus), FakeAlert.AEQ (AVG), Win32:MalOb-GR [Cryp] (Avast), TROJ_FAKEAL.SMLA (TrendMicro), Fake-AV.Win32.FakeRean.2.FD, FakeAVWin32FakeRean.YR (Lavasoft MAS)Behaviour: Trojan, Fake-AV, Packed
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 782f3dec1efa8afa822038c8e4cb6592
SHA1: f322e6fc191f831a36b8339468318cb99c07eece
SHA256: 20dfd4fc3f05a66636697c4d3c553a71a857eec6cc3f37bf1cdab51b81efc28c
SSDeep: 6144:0OGa5Lt8z25D2v4ESAnfbrdr8LQfVQ3MyUTlP8gOtdoZeyUFPlyT:t5LtFD2vRSAfbrdauVQ3MyUTN8DoZeNj
Size: 348160 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualCv71EXE, UPolyXv05_v6
Company: no certificate found
Created at: 2011-06-08 02:32:37
Summary: Fake-AV. FakeAV programs generate exaggerated threat reports on the compromised computer then ask the user to purchase a registered version to remove those reported threats.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Fake-AV creates the following process(es):
%original file name%.exe:596
The Fake-AV injects its code into the following process(es):
lfe.exe:544
File activity
The process lfe.exe:544 makes changes in the file system.
The Fake-AV creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\All Users\Application Data\shk8r7fr0x6mi6761618 (1152 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\shk8r7fr0x6mi6761618 (1152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\shk8r7fr0x6mi6761618 (1152 bytes)
%Documents and Settings%\%current user%\Templates\shk8r7fr0x6mi6761618 (1152 bytes)
%System%\wbem\Logs\wbemprox.log (76 bytes)
The Fake-AV deletes the following file(s):
C:\%original file name%.exe (0 bytes)
The process %original file name%.exe:596 makes changes in the file system.
The Fake-AV creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\lfe.exe (1629 bytes)
Registry activity
The process lfe.exe:544 makes changes in the system registry.
The Fake-AV creates and/or sets the following values in system registry:
[HKCU\Software\Classes\exefile\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\lfe.exe -a %1 %*"
[HKCU\Software\Classes\exefile\shell\runas\command]
"IsolatedCommand" = "%1 %*"
[HKCU\Software\Classes\exefile]
"(Default)" = "Application"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Clients\StartMenuInternet]
"(Default)" = "IEXPLORE.EXE"
[HKCU\Software\Classes\exefile\shell\open\command]
"IsolatedCommand" = "%1 %*"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
[HKCU\Software\Classes\exefile\shell\runas\command]
"(Default)" = "%1 %*"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Classes\.exe\shell\open\command]
"IsolatedCommand" = "%1 %*"
[HKCU\Software\Classes\exefile\DefaultIcon]
"(Default)" = "%1"
[HKCU\Software\Classes\.exe]
"(Default)" = "exefile"
[HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\lfe.exe -a %Program Files%\Internet Explorer\iexplore.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Classes\exefile]
"Content Type" = "application/x-msdownload"
[HKCU\Software\Classes\.exe\shell\runas\command]
"(Default)" = "%1 %*"
"IsolatedCommand" = "%1 %*"
[HKCU\Software\Microsoft\Windows]
"Identity" = "1312246067"
[HKCU\Software\Classes\.exe\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\lfe.exe -a %1 %*"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 D9 E1 DE 66 40 CD 51 73 E4 DD 02 8D C1 85 F1"
[HKCU\Software\Classes\.exe\DefaultIcon]
"(Default)" = "%1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Classes\.exe]
"Content Type" = "application/x-msdownload"
The process %original file name%.exe:596 makes changes in the system registry.
The Fake-AV creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 BC 09 65 E4 A4 AE E7 87 59 EC 0D 7E 7F CE 56"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
"UpdatesDisableNotify" = "1"
"FirewallOverride" = "1"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = "0"
"DoNotAllowExceptions" = "0"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
To automatically run itself each time Windows is booted, the Fake-AV adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe" = "%System%\ctfmon.exe"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
The following service is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess]
"Start" = "4"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
To automatically run itself each time Windows is booted, the Fake-AV adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"413828066" = "%Documents and Settings%\%current user%\Local Settings\Application Data\lfe.exe"
Network activity (URLs)
| URL | IP |
|---|---|
| kovebesovurobo.com | Unresolvable |
| burigiqesulaja.com | Unresolvable |
| cajicuxekopyny.com | Unresolvable |
| zykufareqybo.com | Unresolvable |
| wucucudizo.com | Unresolvable |
| sacunifupacamy.com | Unresolvable |
| bajofehadipef.com | Unresolvable |
| dyjazuxupurox.com | Unresolvable |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:596
- Delete the original Fake-AV file.
- Delete or disinfect the following files created/modified by the Fake-AV:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\All Users\Application Data\shk8r7fr0x6mi6761618 (1152 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\shk8r7fr0x6mi6761618 (1152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\shk8r7fr0x6mi6761618 (1152 bytes)
%Documents and Settings%\%current user%\Templates\shk8r7fr0x6mi6761618 (1152 bytes)
%System%\wbem\Logs\wbemprox.log (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\lfe.exe (1629 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe" = "%System%\ctfmon.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"413828066" = "%Documents and Settings%\%current user%\Local Settings\Application Data\lfe.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.