F-Secure
Tools
Trojan-Downloader:W32/Small.AAFH
| Name : | Trojan-Downloader:W32/Small.AAFH |
| Detection Names : |
Trojan-Downloader.Win32.Small.aafh |
| Aliases : |
TROJ_RENOS.ADX (Trend Micro) Troj/FakeAle-EF (Sophos) Win32/TrojanDownloader.FakeAlert.DJ (Other) Trojan.Dropper (Symantec) |
| Size: | 139776 |
| Category: | Malware |
| Type: | Trojan-Downloader |
| Platform: | W32 |
| Date of Discovery: | August 10, 2008 |
Summary
This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.
Details
File System Changes
Creates these files:
phcgqgj0ej7p.bmp
tt1.tmp.vbs
blphcgqgj0ej7p.scr
lphcgqgj0ej7p.exe
Process Changes
Creates these mutexes:
{A56DECD8-1102-49e9-BFD5-17FBE35197F2}
Network Connections
Attempts to download files from:
http://antivirusxp-08.com/images/1215432116/[...]dd6a773d899336c058fb89fce801/f7ec4038-ac37-4724-8dc3-f4029fa668f9.gif
Registry Modifications
Sets these values:
HKLM\Software\Microsoft\Software Notifier
InstallationID = f7ec4038-ac37-4724-8dc3-f4029fa668f9
HKCU\Control Panel\Colors
Background = 0 0 255
HKCU\Control Panel\Desktop
WallpaperStyle = 0
HKCU\Control Panel\Desktop
TileWallpaper = 0
HKCU\Control Panel\Desktop
Wallpaper = C:\WINDOWS\system32\phcgqgj0ej7p.bmp
HKCU\Control Panel\Desktop
OriginalWallpaper = C:\WINDOWS\system32\phcgqgj0ej7p.bmp
HKCU\Control Panel\Desktop
ConvertedWallpaper = C:\WINDOWS\system32\phcgqgj0ej7p.bmp
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
NoDispBackgroundPage = 00000001
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
lphcgqgj0ej7p = C:\WINDOWS\system32\lphcgqgj0ej7p.exe
HKCU\Control Panel\Desktop
SCRNSAVE.EXE = C:\WINDOWS\system32\blphcgqgj0ej7p.scr
HKCU\Control Panel\Desktop
ScreenSaveActive = 1
HKCU\Control Panel\Desktop
ScreenSaveTimeOut = 600
HKCU\Software\Sysinternals\Bluescreen Screen Saver
EulaAccepted = 00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
NoDispScrSavPage = 00000001
HKLM\System\CurrentControlSet\Services\srservice
Start = 00000002
HKLM\System\CurrentControlSet\Services\sr
Start = 00000000
HKLM\System\CurrentControlSet\Services\sr
ImagePath = system32\DRIVERS\sr.sys
HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore
DisableSR = 00000000
Additional Details
This trojan is designed to 'persuade' unsuspecting individuals into buying the full, paid version of a rogue antispyware program by spooking them into believing that their system is riddled with malware. The frightened user would then be asked to buy the rogue antispyware program to deal with the supposed problem.
This malware arrives as a link in an e-mail and requires user action in order to be installed. The user must click on the link, then download and run or install the malware. It can also be downloaded from a number of websites, such as:
http://neonbible.de/[...]/update.exe
http://www.intertopo.be/[...]/update.exe
http://www.dennis-luis.de/[...]/update.exe
http://www.aouq22.dsl.pipex.com/[...]/update.exe
The malware will use a variety of tricks to alarm the user. These tricks involve changing the wallpaper to a 'Spyware Infection warning' wallpaper and changing the user's screensaver into a screensaver which looks like the 'blue screen of death'.
The trojan will also attempt to connect to a remote server and download what appears to be a GIF file, which is embedded with the trial version of a rogue antispyware program detected as Rogue:W32/AntivirusXP2008.E. This rogue antispyware program is installed and pretends to run a scan of the infected system, then displays a fake results screen showing numerous infections.
Once installed, this trojan removes all the current System Restore points in the system and creates a new one where it is already included. This means that rolling back to a previous System Restore point will not remove the malware.
Upon installation into the system, the wallpaper will be changed to this:
Leaving the system idle for 10 minutes brings up a screensaver which appears to be a 'blue screen of death' similar to this one:
When Rogue:W32/AntivirusXP2008.E executes, it will show this window:
This malware arrives as a link in an e-mail and requires user action in order to be installed. The user must click on the link, then download and run or install the malware. It can also be downloaded from a number of websites, such as:
http://neonbible.de/[...]/update.exe
http://www.intertopo.be/[...]/update.exe
http://www.dennis-luis.de/[...]/update.exe
http://www.aouq22.dsl.pipex.com/[...]/update.exe
The malware will use a variety of tricks to alarm the user. These tricks involve changing the wallpaper to a 'Spyware Infection warning' wallpaper and changing the user's screensaver into a screensaver which looks like the 'blue screen of death'.
The trojan will also attempt to connect to a remote server and download what appears to be a GIF file, which is embedded with the trial version of a rogue antispyware program detected as Rogue:W32/AntivirusXP2008.E. This rogue antispyware program is installed and pretends to run a scan of the infected system, then displays a fake results screen showing numerous infections.
Once installed, this trojan removes all the current System Restore points in the system and creates a new one where it is already included. This means that rolling back to a previous System Restore point will not remove the malware.
Upon installation into the system, the wallpaper will be changed to this:
Leaving the system idle for 10 minutes brings up a screensaver which appears to be a 'blue screen of death' similar to this one:
When Rogue:W32/AntivirusXP2008.E executes, it will show this window: