HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.FakeAV.gcd (v) (VIPRE), Trojan.Win32.FakeAV!IK (Emsisoft), Fake-AV.Win32.FakeRean.2.FD, FakeAVWin32FakeRean.YR (Lavasoft MAS)Behaviour: Trojan, Fake-AV
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 8e2a7435760fe8340e41cb1381b7085b
SHA1: 0afb4c362068accb9016a1eb317015e4781a5b57
SHA256: 3019d33760e0bb20fbef9cf9e9882608292007707bbc8703dc513446964f08b5
SSDeep: 6144:ZSq8kerB3jY1x 8/iNoC8r6axpu4 pVRo8X1h:ZSq8ker9Y19iWvuxVRo8lh
Size: 311488 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: InstallShield2000, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, UPolyXv05_v6, Armadillov171
Company: StarApp
Created at: 2012-12-29 20:05:24
Analyzed on: WindowsXP SP3 32-bit
Summary: Fake-AV. FakeAV programs generate exaggerated threat reports on the compromised computer then ask the user to purchase a registered version to remove those reported threats.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Fake-AV creates the following process(es):
%original file name%.exe:2008
The Fake-AV injects its code into the following process(es):
oyw.exe:744
File activity
The process oyw.exe:744 makes changes in the file system.
The Fake-AV creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\mypageresults[1].htm (808 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl (139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cf1d262b.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Templates\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl (139 bytes)
%Documents and Settings%\All Users\Application Data\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl (139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl (139 bytes)
The Fake-AV deletes the following file(s):
C:\%original file name%.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\mypageresults[1].htm (0 bytes)
The process %original file name%.exe:2008 makes changes in the file system.
The Fake-AV creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\oyw.exe (311 bytes)
Registry activity
The process oyw.exe:744 makes changes in the system registry.
The Fake-AV creates and/or sets the following values in system registry:
[HKCU\Software\Classes\exefile\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\oyw.exe -a %1 %*"
[HKCU\Software\Classes\exefile\shell\runas\command]
"IsolatedCommand" = "%1 %*"
[HKCU\Software\Classes\exefile]
"(Default)" = "Application"
[HKCU\Software\Classes\.exe\shell\runas\command]
"IsolatedCommand" = "%1 %*"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Clients\StartMenuInternet]
"(Default)" = "IEXPLORE.EXE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Classes\exefile\shell\open\command]
"IsolatedCommand" = "%1 %*"
[HKCU\Software\Classes\.exe\shell\runas\command]
"(Default)" = "%1 %*"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
[HKCU\Software\Classes\exefile\shell\runas\command]
"(Default)" = "%1 %*"
[HKCU\Software\Classes\exefile]
"Content Type" = "application/x-msdownload"
[HKCU\Software\Classes\.exe\shell\open\command]
"IsolatedCommand" = "%1 %*"
[HKCU\Software\Classes\.exe]
"(Default)" = "exefile"
[HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\oyw.exe -a %Program Files%\Internet Explorer\iexplore.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCU\Software\Classes\exefile\DefaultIcon]
"(Default)" = "%1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows]
"Identity" = "3044072876"
[HKCU\Software\Classes\.exe\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\oyw.exe -a %1 %*"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 BD C6 AC 48 1A E9 71 BF 51 13 FF 84 8C 72 9F"
[HKCU\Software\Classes\.exe\DefaultIcon]
"(Default)" = "%1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Classes\.exe]
"Content Type" = "application/x-msdownload"
The Fake-AV modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Fake-AV modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Fake-AV modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Fake-AV adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe" = "%System%\ctfmon.exe"
The Fake-AV deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:2008 makes changes in the system registry.
The Fake-AV creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 52 EB 11 E7 3F C5 14 7D 6D B0 C9 1B 04 16 14"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
"UpdatesDisableNotify" = "1"
"FirewallOverride" = "1"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = "0"
"DoNotAllowExceptions" = "0"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
The following service is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess]
"Start" = "4"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://84.22.104.243/370b4de40a713d4a00100052c23c93 | |
| hxxp://84.22.104.243/370b4de40a713d4a00100052c23c99 | |
| hxxp://indeanajonsbiz.net/data.exe | 209.99.40.222 |
| hxxp://84.22.104.243/370b4de40a713d4a00100052c23c9e | |
| hxxp://pagesinxt.com/?dn=indeanajonsbiz.net&flrdr=yes&nxte=exe | 208.91.196.252 |
| hxxp://mypageresults.com/?dn=indeanajonsbiz.net&flrdr=yes&nxte=exe | 208.91.196.4 |
| hxxp://84.22.104.243/370b4de40a713d4a00100052c23ca3 | |
| hxxp://84.22.104.243/370b4de40a713d4a00100052c23ca8 | |
| hxxp://84.22.104.243/370b4de40a713d4a00100052c23cad | |
| hxxp://84.22.104.243/370b4de40a713d4a00100052c23cb3 | |
| hxxp://84.22.104.243/370b4de40a713d4a00100052c23cb9 | |
| hxxp://84.22.104.243/370b4de40a713d4a00100052c23cbe | |
| hxxp://84.22.104.243/370b4de40a713d4a00100052c23cc4 |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:2008
- Delete the original Fake-AV file.
- Delete or disinfect the following files created/modified by the Fake-AV:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\mypageresults[1].htm (808 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl (139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cf1d262b.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Templates\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl (139 bytes)
%Documents and Settings%\All Users\Application Data\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl (139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl (139 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\oyw.exe (311 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe" = "%System%\ctfmon.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.