F-Secure
Tools
Trojan-Downloader:W32/Fakerean.gen!A
Summary
This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.
Details
Registry Modifications
Sets these values:
- HKCU\Control Panel\don't load
scui.cpl = No
by %cwd%\sample.exe (PID:1752) - HKCU\Control Panel\don't load
wscui.cpl = No
by %cwd%\sample.exe (PID:1752) - HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify = 1
by %cwd%\sample.exe (PID:1752) [Alerts for no Antivirus Disabled] - HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify = 1
by %cwd%\sample.exe (PID:1752) [Alerts for no Windows-Updates Disabled] - HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify = 1
by %cwd%\sample.exe (PID:1752) [Alerts for no Firewall Disabled] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{39fc2065-c9c7-49cd-8942-44cc2dedc844}
NoExplorer = 7340152
by %windir%\system32\regsvr32.exe (PID:1760) [Launchpoint: BHO] - HKCU\Software\WinPC Defender
Minimize = 0
by %cwd%\sample.exe (PID:1752) - HKCU\Software\WinPC Defender
Start = 1
by %cwd%\sample.exe (PID:1752) - HKCU\Software\WinPC Defender
Scan = 1
by %cwd%\sample.exe (PID:1752) - HKCU\Software\WinPC Defender
id = 232345
by %cwd%\sample.exe (PID:1752) - HKCU\Software\WinPC Defender
UpdateDate = 31-03-2009
by %cwd%\sample.exe (PID:1752) - HKCU\Software\WinPC Defender
fstart = 1
by %cwd%\sample.exe (PID:1752) - HKCU\Software\WinPC Defender
site = http://billingpayment.net/pp/?id=
by %cwd%\sample.exe (PID:1752) - HKLM\System\CurrentControlSet\Services\BITS\Control
ActiveService = BITS
by %windir%\system32\services.exe (PID:604) - HKLM\System\CurrentControlSet\Services\BITS
Start = 12
by %windir%\system32\services.exe (PID:604) - HKLM\Software\Classes\CLSID\{95dd14b6-a2ed-11da-9241-806d6172696f}\\{95dd14b9-a2ed-11da-9241-806d6172696f}\\{95dd14b9-a2ed-11da-9241-806d6172696f}\
BaseClass = Drive
by %cwd%\sample.exe (PID:1752) - HKLM\Software\Classes\batfile\MUICache\
C:\Documents and Settings\user\Application Data\asd.bat = asd
by %cwd%\sample.exe (PID:1752) - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\{39FC2065-C9C7-49CD-8942-44CC2DEDC844}\iexplore
Type = 655360
by %programfiles%\Internet Explorer\IEXPLORE.EXE (PID:1120) - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\{39FC2065-C9C7-49CD-8942-44CC2DEDC844}\iexplore
Count = 12
by %programfiles%\Internet Explorer\IEXPLORE.EXE (PID:1120) - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\{39FC2065-C9C7-49CD-8942-44CC2DEDC844}\iexplore
Time =
by %programfiles%\Internet Explorer\IEXPLORE.EXE (PID:1120)
Additional Details
Trojan-Downloader:W32/Fakerean.gen!A is a Generic Detection for malware that downloads and installs rogue antivirus programs onto the computer.
Once installed, the rogue antivirus program will display misleading or downright false warnings and/or scanning results, pressuring users into paying to "activate" the program, in order to remove/disinfect the supposed "threats". Even if the user pays for the "activation", the program may not function as intended.
Installation
During installation, the malware creates the following file:
Where %windir% represents the Windows Directory.
The following modules are then loaded into other processes:
Note
The rogues downloaded may be detected as Trojan:W32/Fakerean by other antivirus vendors.
About Generic Detections
Unlike more traditional detections (also known as signatures or single-file detections) a Generic Detection does not identify a unique or individual malicious program. Instead, a Generic Detection looks for broadly applicable code or behavior characteristics that indicate a file as potentially malicious, so that a single Generic Detection can efficiently identify dozens, or even hundreds of malware.
For more information about Generic Detections, please see the Generic Detection description
Once installed, the rogue antivirus program will display misleading or downright false warnings and/or scanning results, pressuring users into paying to "activate" the program, in order to remove/disinfect the supposed "threats". Even if the user pays for the "activation", the program may not function as intended.
Installation
During installation, the malware creates the following file:
- %windir%\ieocx.dll
Where %windir% represents the Windows Directory.
The following modules are then loaded into other processes:
- %windir%\ieocx.dll - Loaded into %windir%\system32\regsvr32.exe (PID: 1760)
- %windir%\ieocx.dll - Loaded into %programfiles%\Internet Explorer\IEXPLORE.EXE (PID: 1120)
Note
The rogues downloaded may be detected as Trojan:W32/Fakerean by other antivirus vendors.
About Generic Detections
Unlike more traditional detections (also known as signatures or single-file detections) a Generic Detection does not identify a unique or individual malicious program. Instead, a Generic Detection looks for broadly applicable code or behavior characteristics that indicate a file as potentially malicious, so that a single Generic Detection can efficiently identify dozens, or even hundreds of malware.
For more information about Generic Detections, please see the Generic Detection description