1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content




Trojan-Downloader:W32/Fakerean.gen!A

Name : Trojan-Downloader:W32/Fakerean.gen!A
Aliases : TrojanDownloader:Win32/FakeRean (Microsoft)
Category:Malware
Type:Trojan-Downloader
Platform:W32

Summary

This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.

Details


Registry Modifications
Sets these values:

  •  HKCU\Control Panel\don't load
         scui.cpl = No
         by %cwd%\sample.exe (PID:1752)
  •  HKCU\Control Panel\don't load
         wscui.cpl = No
         by %cwd%\sample.exe (PID:1752)
  •  HKLM\SOFTWARE\Microsoft\Security Center
         AntiVirusDisableNotify = 1
         by %cwd%\sample.exe (PID:1752) [Alerts for no Antivirus Disabled]
  •  HKLM\SOFTWARE\Microsoft\Security Center
        UpdatesDisableNotify = 1
        by %cwd%\sample.exe (PID:1752) [Alerts for no Windows-Updates Disabled]
  •  HKLM\SOFTWARE\Microsoft\Security Center
        FirewallDisableNotify = 1
        by %cwd%\sample.exe (PID:1752) [Alerts for no Firewall Disabled]
  •  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{39fc2065-c9c7-49cd-8942-44cc2dedc844}
        NoExplorer = 7340152
        by %windir%\system32\regsvr32.exe (PID:1760) [Launchpoint: BHO]
  •  HKCU\Software\WinPC Defender
         Minimize = 0
         by %cwd%\sample.exe (PID:1752)
  •  HKCU\Software\WinPC Defender
         Start = 1
         by %cwd%\sample.exe (PID:1752)
  •  HKCU\Software\WinPC Defender
         Scan = 1
         by %cwd%\sample.exe (PID:1752)
  •  HKCU\Software\WinPC Defender
         id = 232345
         by %cwd%\sample.exe (PID:1752)
  •  HKCU\Software\WinPC Defender
         UpdateDate = 31-03-2009
         by %cwd%\sample.exe (PID:1752)
  •  HKCU\Software\WinPC Defender
         fstart = 1
         by %cwd%\sample.exe (PID:1752)
  •  HKCU\Software\WinPC Defender
         site = http://billingpayment.net/pp/?id=
         by %cwd%\sample.exe (PID:1752)
  •  HKLM\System\CurrentControlSet\Services\BITS\Control
         ActiveService = BITS
         by %windir%\system32\services.exe (PID:604)
  •  HKLM\System\CurrentControlSet\Services\BITS
         Start = 12
         by %windir%\system32\services.exe (PID:604)
  •  HKLM\Software\Classes\CLSID\{95dd14b6-a2ed-11da-9241-806d6172696f}\\{95dd14b9-a2ed-11da-9241-806d6172696f}\\{95dd14b9-a2ed-11da-9241-806d6172696f}\
         BaseClass = Drive
         by %cwd%\sample.exe (PID:1752)
  •  HKLM\Software\Classes\batfile\MUICache\
         C:\Documents and Settings\user\Application Data\asd.bat = asd
         by %cwd%\sample.exe (PID:1752)
  •  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\{39FC2065-C9C7-49CD-8942-44CC2DEDC844}\iexplore
         Type = 655360
         by %programfiles%\Internet Explorer\IEXPLORE.EXE (PID:1120)
  •  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\{39FC2065-C9C7-49CD-8942-44CC2DEDC844}\iexplore
         Count = 12
         by %programfiles%\Internet Explorer\IEXPLORE.EXE (PID:1120)
  •  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\{39FC2065-C9C7-49CD-8942-44CC2DEDC844}\iexplore
         Time =
         by %programfiles%\Internet Explorer\IEXPLORE.EXE (PID:1120)


Additional Details

Trojan-Downloader:W32/Fakerean.gen!A is a Generic Detection for malware that downloads and installs rogue antivirus programs onto the computer.

Once installed, the rogue antivirus program will display misleading or downright false warnings and/or scanning results, pressuring users into paying to "activate" the program, in order to remove/disinfect the supposed "threats". Even if the user pays for the "activation", the program may not function as intended.


Installation

During installation, the malware creates the following file:

  •  %windir%\ieocx.dll

Where %windir% represents the Windows Directory.

The following modules are then loaded into other processes:

  •   %windir%\ieocx.dll  -   Loaded into %windir%\system32\regsvr32.exe (PID: 1760)
  •   %windir%\ieocx.dll  -   Loaded into %programfiles%\Internet Explorer\IEXPLORE.EXE (PID: 1120)


Note

The rogues downloaded may be detected as Trojan:W32/Fakerean by other antivirus vendors.


About Generic Detections

Unlike more traditional detections (also known as signatures or single-file detections) a Generic Detection does not identify a unique or individual malicious program. Instead, a Generic Detection looks for broadly applicable code or behavior characteristics that indicate a file as potentially malicious, so that a single Generic Detection can efficiently identify dozens, or even hundreds of malware.

For more information about Generic Detections, please see the Generic Detection description