HEUR:Trojan.Win32.Generic (Kaspersky), FraudTool.Win32.FakeRean.mco (v) (VIPRE), Trojan.SuspectCRC!IK (Emsisoft), Fake-AV.Win32.FakeRean.2.FD, FakeAVWin32FakeRean.YR (Lavasoft MAS)Behaviour: Trojan, Fake-AV
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 8352c9a6f3a26b797771e740e32fb1d8
SHA1: fd4274a452399fca86c35fb71444a12e329f6004
SHA256: bae69b3b4264d7df480943b3e03bc8ef42e76006f2e821937661e94d64999d5c
SSDeep: 6144:kfgrmfODBhJXHT7H9s5IxsZHOejMYrJ0C:kd0jT7Hu5zrjjCC
Size: 231431 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: Armadillov171, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, UPolyXv05_v6
Company: no certificate found
Created at: 2011-05-14 23:50:40
Summary: Fake-AV. FakeAV programs generate exaggerated threat reports on the compromised computer then ask the user to purchase a registered version to remove those reported threats.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Fake-AV creates the following process(es):
Reader_sl.exe:1064
wuauclt.exe:344
8352c9a6f3a26b797771e740e32fb1d8.exe:1480
igp.exe:2012
jusched.exe:1056
The Fake-AV injects its code into the following process(es):
igp.exe:224
File activity
The process wuauclt.exe:344 makes changes in a file system.
The Fake-AV creates and/or writes to the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
The Fake-AV deletes the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)
The process 8352c9a6f3a26b797771e740e32fb1d8.exe:1480 makes changes in a file system.
The Fake-AV creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\igp.exe (231 bytes)
The process igp.exe:224 makes changes in a file system.
The Fake-AV creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\bdi6808m2t72hbeeko3 (227 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bdi6808m2t72hbeeko3 (227 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\bdi6808m2t72hbeeko3 (227 bytes)
%Documents and Settings%\%current user%\Templates\bdi6808m2t72hbeeko3 (227 bytes)
The Fake-AV deletes the following file(s):
C:\8352c9a6f3a26b797771e740e32fb1d8.exe (0 bytes)
The process jusched.exe:1056 makes changes in a file system.
The Fake-AV creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)
Registry activity
The process Reader_sl.exe:1064 makes changes in a system registry.
The Fake-AV creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process 8352c9a6f3a26b797771e740e32fb1d8.exe:1480 makes changes in a system registry.
The Fake-AV creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D5 10 A8 0F 4E 07 39 C2 17 86 FE 9B 9C 53 85 35"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = "0"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DoNotAllowExceptions" = "0"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
The following service is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess]
"Start" = "4"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
The process igp.exe:224 makes changes in a system registry.
The Fake-AV creates and/or sets the following values in system registry:
[HKCU\Software\Classes\exefile\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\igp.exe -a %1 %*"
[HKCU\Software\Classes\exefile\shell\runas\command]
"IsolatedCommand" = "%1 %*"
[HKCU\Software\Classes\exefile]
"(Default)" = "Application"
[HKCU\Software\Classes\.exe\shell\runas\command]
"IsolatedCommand" = "%1 %*"
[HKLM\SOFTWARE\Clients\StartMenuInternet]
"(Default)" = "IEXPLORE.EXE"
[HKCU\Software\Classes\exefile\shell\open\command]
"IsolatedCommand" = "%1 %*"
[HKCU\Software\Classes\.exe\shell\runas\command]
"(Default)" = "%1 %*"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
[HKCU\Software\Classes\exefile\shell\runas\command]
"(Default)" = "%1 %*"
[HKCU\Software\Classes\exefile]
"Content Type" = "application/x-msdownload"
[HKCU\Software\Classes\.exe\shell\open\command]
"IsolatedCommand" = "%1 %*"
[HKCU\Software\Classes\.exe]
"(Default)" = "exefile"
[HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\igp.exe -a %Program Files%\Internet Explorer\iexplore.exe"
[HKCU\Software\Classes\exefile\DefaultIcon]
"(Default)" = "%1"
[HKCU\Software\Microsoft\Windows]
"Identity" = "2278697780"
[HKCU\Software\Classes\.exe\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\igp.exe -a %1 %*"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 00 2C EE ED C5 84 5B 70 00 5B 38 11 CF 2C BB"
[HKCU\Software\Classes\.exe\DefaultIcon]
"(Default)" = "%1"
[HKCU\Software\Classes\.exe]
"Content Type" = "application/x-msdownload"
To automatically run itself each time Windows is booted, the Fake-AV adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe" = "%System%\ctfmon.exe"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://vawinofemu.com/1023000113 | 209.99.40.219 |
| hxxp://hehabocawezawe.com/1023000113 | 208.73.211.247 |
| wyciwywyt.com | Unresolvable |
| vokixehimal.com | Unresolvable |
| vuxipupuhaz.com | Unresolvable |
| xitytusahysese.com | Unresolvable |
| rygemakub.com | Unresolvable |
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
wuauclt.exe:344
8352c9a6f3a26b797771e740e32fb1d8.exe:1480
igp.exe:2012 - Delete the original Fake-AV file.
- Delete or disinfect the following files created/modified by the Fake-AV:
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\igp.exe (231 bytes)
%Documents and Settings%\All Users\Application Data\bdi6808m2t72hbeeko3 (227 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bdi6808m2t72hbeeko3 (227 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\bdi6808m2t72hbeeko3 (227 bytes)
%Documents and Settings%\%current user%\Templates\bdi6808m2t72hbeeko3 (227 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe" = "%System%\ctfmon.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.