Gen:Variant.Backdoor.28 (BitDefender), Rogue:Win32/FakeRean (Microsoft), Trojan.Win32.FakeAV.dfjn (Kaspersky), Trojan.Win32.Generic.pak!cobra (VIPRE), Trojan.Fakealert.21346 (DrWeb), Trojan.Win32.FakeAV!IK (Emsisoft), a variant of Win32/Kryptik.OEZ (NOD32), FakeAlert-Rena.j (McAfee), Trojan.Win32.FakeAV (Ikarus), Gen:Variant.Backdoor.28 (FSecure), Generic22.BMEQ (AVG), Win32:Renosa-I (Avast), TROJ_GEN.RC1C2EQ (TrendMicro), Fake-AV.Win32.FakeRean.2.FD, FakeAVWin32FakeRean.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor, Fake-AV
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 19fbd6ef76784f7ca3506a04614ea7de
SHA1: b24f771cbf8540ff54e09f4cd8e8e15b38ee0d94
SHA256: a624481deaa74b9e53ec7bbcbf7536b5b662ed551e5d742ae385620952e677be
SSDeep: 6144:7O/CIsphl2lGlVimnVSvL8dsK1cUil2T7Wmcy8CwOL80u6yDnYD:XD4Gl7nYv21cM/vcyJBRD
Size: 339968 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualCv71EXE, UPolyXv05_v6
Company: no certificate found
Created at: 2008-04-13 21:33:31
Analyzed on: WindowsXP SP3 32-bit
Summary: Fake-AV. FakeAV programs generate exaggerated threat reports on the compromised computer then ask the user to purchase a registered version to remove those reported threats.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Fake-AV creates the following process(es):
%original file name%.exe:1888
The Fake-AV injects its code into the following process(es):
pau.exe:2016
File activity
The process pau.exe:2016 makes changes in the file system.
The Fake-AV creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\2473r6jx4l743x0v26 (1173 bytes)
%Documents and Settings%\%current user%\Templates\2473r6jx4l743x0v26 (1173 bytes)
%Documents and Settings%\All Users\Application Data\2473r6jx4l743x0v26 (1173 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2473r6jx4l743x0v26 (1173 bytes)
The Fake-AV deletes the following file(s):
C:\%original file name%.exe (0 bytes)
The process %original file name%.exe:1888 makes changes in the file system.
The Fake-AV creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\pau.exe (1620 bytes)
Registry activity
The process pau.exe:2016 makes changes in the system registry.
The Fake-AV creates and/or sets the following values in system registry:
[HKCU\Software\Classes\exefile\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\pau.exe -a %1 %*"
[HKCU\Software\Classes\exefile\shell\runas\command]
"IsolatedCommand" = "%1 %*"
[HKCU\Software\Classes\exefile]
"(Default)" = "Application"
[HKCU\Software\Classes\.exe\shell\runas\command]
"IsolatedCommand" = "%1 %*"
[HKLM\SOFTWARE\Clients\StartMenuInternet]
"(Default)" = "IEXPLORE.EXE"
[HKCU\Software\Classes\exefile\shell\open\command]
"IsolatedCommand" = "%1 %*"
[HKCU\Software\Classes\.exe\shell\runas\command]
"(Default)" = "%1 %*"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
[HKCU\Software\Classes\exefile\shell\runas\command]
"(Default)" = "%1 %*"
[HKCU\Software\Classes\exefile]
"Content Type" = "application/x-msdownload"
[HKCU\Software\Classes\.exe\shell\open\command]
"IsolatedCommand" = "%1 %*"
[HKCU\Software\Classes\.exe]
"(Default)" = "exefile"
[HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\pau.exe -a %Program Files%\Internet Explorer\iexplore.exe"
[HKCU\Software\Classes\exefile\DefaultIcon]
"(Default)" = "%1"
[HKCU\Software\Microsoft\Windows]
"Identity" = "843588114"
[HKCU\Software\Classes\.exe\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\pau.exe -a %1 %*"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC B6 CC 6D 25 EA 82 0B 91 F1 DD F8 FE 7D EA BE"
[HKCU\Software\Classes\.exe\DefaultIcon]
"(Default)" = "%1"
[HKCU\Software\Classes\.exe]
"Content Type" = "application/x-msdownload"
To automatically run itself each time Windows is booted, the Fake-AV adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe" = "%System%\ctfmon.exe"
The process %original file name%.exe:1888 makes changes in the system registry.
The Fake-AV creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 82 50 79 9B 6C 16 F7 F7 D2 EA FE ED D3 50 EF"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
"UpdatesDisableNotify" = "1"
"FirewallOverride" = "1"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = "0"
"DoNotAllowExceptions" = "0"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
The following service is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess]
"Start" = "4"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
Network activity (URLs)
| URL | IP |
|---|---|
| ricogodobekax.com | Unresolvable |
| symihyceqemexo.com | Unresolvable |
| nicynajomypy.com | Unresolvable |
| gilodivere.com | Unresolvable |
| weriloxoro.com | Unresolvable |
| johunyniv.com | Unresolvable |
| vehepumac.com | Unresolvable |
| nixecynuho.com | Unresolvable |
| marihuqavigyt.com | Unresolvable |
| fifotojylahe.com | Unresolvable |
| bafihamuxav.com | Unresolvable |
| ronadosim.com | Unresolvable |
| podojykofogu.com | Unresolvable |
| bucoqypynynej.com | Unresolvable |
| zizudadidura.com | Unresolvable |
| xymasehyfi.com | Unresolvable |
| fojexojup.com | Unresolvable |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1888
- Delete the original Fake-AV file.
- Delete or disinfect the following files created/modified by the Fake-AV:
%Documents and Settings%\%current user%\Local Settings\Application Data\2473r6jx4l743x0v26 (1173 bytes)
%Documents and Settings%\%current user%\Templates\2473r6jx4l743x0v26 (1173 bytes)
%Documents and Settings%\All Users\Application Data\2473r6jx4l743x0v26 (1173 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2473r6jx4l743x0v26 (1173 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\pau.exe (1620 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe" = "%System%\ctfmon.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.