1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content




Trojan-Downloader:W32/Fakerean.gen!A

Name : Trojan-Downloader:W32/Fakerean.gen!A
Category:Malware
Type:Trojan-Downloader
Platform:W32

Summary

This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.

Details


Registry Modifications
Sets these values:

  • HKCU\Control Panel\don't load
     scui.cpl = No
     by %cwd%\sample.exe (PID:1752)
  • HKCU\Control Panel\don't load
     wscui.cpl = No
     by %cwd%\sample.exe (PID:1752)
  • HKLM\SOFTWARE\Microsoft\Security Center
     AntiVirusDisableNotify = 1
     by %cwd%\sample.exe (PID:1752) [Alerts for no Antivirus Disabled]
  • HKLM\SOFTWARE\Microsoft\Security Center
    UpdatesDisableNotify = 1
    by %cwd%\sample.exe (PID:1752) [Alerts for no Windows-Updates Disabled]
  • HKLM\SOFTWARE\Microsoft\Security Center
    FirewallDisableNotify = 1
    by %cwd%\sample.exe (PID:1752) [Alerts for no Firewall Disabled]
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{39fc2065-c9c7-49cd-8942-44cc2dedc844}
    NoExplorer = 7340152
    by %windir%\system32\regsvr32.exe (PID:1760) [Launchpoint: BHO]
  • HKCU\Software\WinPC Defender
     Minimize = 0
     by %cwd%\sample.exe (PID:1752)
  • HKCU\Software\WinPC Defender
     Start = 1
     by %cwd%\sample.exe (PID:1752)
  • HKCU\Software\WinPC Defender
     Scan = 1
     by %cwd%\sample.exe (PID:1752)
  • HKCU\Software\WinPC Defender
     id = 232345
     by %cwd%\sample.exe (PID:1752)
  • HKCU\Software\WinPC Defender
     UpdateDate = 31-03-2009
     by %cwd%\sample.exe (PID:1752)
  • HKCU\Software\WinPC Defender
     fstart = 1
     by %cwd%\sample.exe (PID:1752)
  • HKCU\Software\WinPC Defender
     site = http://billingpayment.net/pp/?id=
     by %cwd%\sample.exe (PID:1752)
  • HKLM\System\CurrentControlSet\Services\BITS\Control
     ActiveService = BITS
     by %windir%\system32\services.exe (PID:604)
  • HKLM\System\CurrentControlSet\Services\BITS
     Start = 12
     by %windir%\system32\services.exe (PID:604)
  • HKLM\Software\Classes\CLSID\{95dd14b6-a2ed-11da-9241-806d6172696f}\\{95dd14b9-a2ed-11da-9241-806d6172696f}\\{95dd14b9-a2ed-11da-9241-806d6172696f}\
     BaseClass = Drive
     by %cwd%\sample.exe (PID:1752)
  • HKLM\Software\Classes\batfile\MUICache\
     C:\Documents and Settings\user\Application Data\asd.bat = asd
     by %cwd%\sample.exe (PID:1752)
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\{39FC2065-C9C7-49CD-8942-44CC2DEDC844}\iexplore
     Type = 655360
     by %programfiles%\Internet Explorer\IEXPLORE.EXE (PID:1120)
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\{39FC2065-C9C7-49CD-8942-44CC2DEDC844}\iexplore
     Count = 12
     by %programfiles%\Internet Explorer\IEXPLORE.EXE (PID:1120)
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\{39FC2065-C9C7-49CD-8942-44CC2DEDC844}\iexplore
     Time =
     by %programfiles%\Internet Explorer\IEXPLORE.EXE (PID:1120)


Additional Details

Trojan-Downloader:W32/Fakerean.gen!A is a Generic Detection for malware that downloads and installs rogue antivirus programs onto the computer.

Once installed, the rogue antivirus program will display misleading or downright false warnings and/or scanning results, pressuring users into paying to "activate" the program, in order to remove/disinfect the supposed "threats". Even if the user pays for the "activation", the program may not function as intended.


Installation

During installation, the malware creates the following file:

  • %windir%\ieocx.dll

Where %windir% represents the Windows Directory.

The following modules are then loaded into other processes:

  •  %windir%\ieocx.dll  -   Loaded into %windir%\system32\regsvr32.exe (PID: 1760)
  •  %windir%\ieocx.dll  -   Loaded into %programfiles%\Internet Explorer\IEXPLORE.EXE (PID: 1120)