Trojan-Dropper:W32/Hoaxer.B
| Name : | Trojan-Dropper:W32/Hoaxer.B |
| Detection Names : |
Trojan-Downloader.Win32.Hoaxer.a |
| Aliases : |
TrojanDownloader:HTML/Renos.C (Microsoft) W32/Dorf.A!tr.dldr (Other) |
| Size: | 333780 |
| Category: | Malware |
| Type: | Trojan-Dropper |
| Platform: | W32 |
| Date of Discovery: | October 02, 2008 |
Summary
This type of trojan contains one or more malicious files, which it will secretly install on the system.
Details
File System Changes
Create these directories:
• %programfiles%\PCHealthCenter
Process Changes
Creates these processes:
• %programfiles%\PCHealthCenter\0.exe
• %programfiles%\PCHealthCenter\1.exe
• %programfiles%\PCHealthCenter\2.exe
• %programfiles%\PCHealthCenter\3.exe
• %programfiles%\PCHealthCenter\4.exe
• %programfiles%\PCHealthCenter\5.exe
• %programfiles%\PCHealthCenter\7.exe
Registry Modifications
Sets these values:
• HKCU\SOFTWARE\Microsoft\Windows
VRSIN = 1221124757
VRSIN = 1221124757
• HKCU\SOFTWARE\Microsoft\Windows
AIM = 0000000000005378
AIM = 0000000000005378
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\YUR.exe = C:\Windows\system32\YUR.exe
\YUR.exe = C:\Windows\system32\YUR.exe
• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\YUR.exe = C:\Windows\system32\YUR.exe
\YUR.exe = C:\Windows\system32\YUR.exe
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\YUR.exe = C:\Windows\system32\YUR.exe
\YUR.exe = C:\Windows\system32\YUR.exe
• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\YUR.exe = C:\Windows\system32\YUR.exe
\YUR.exe = C:\Windows\system32\YUR.exe
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\YUR.exe = C:\Windows\system32\YUR.exe
\YUR.exe = C:\Windows\system32\YUR.exe
• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\YUR.exe = C:\Windows\system32\YUR.exe
\YUR.exe = C:\Windows\system32\YUR.exe
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\YUR.exe = C:\Windows\system32\YUR.exe
\YUR.exe = C:\Windows\system32\YUR.exe
• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\YUR.exe = C:\Windows\system32\YUR.exe
\YUR.exe = C:\Windows\system32\YUR.exe
Additional Details
This malware drops and installs multiple files in the system. The cumulative effect of the malware is to produce a fake infection warning, which aims to frighten the user into purchasing a rogue antivirus program.
Installation
The malware installs a variety of files on the system.
These files are all detected as Trojan-Downloader.Win32.Hoaxer.a:
These files are all image files used by the sc.html file:
This file is the fake Windows Security Center warning:
These icons are for links to pornography sites:
In addition to icons for links, the malware also adds actual links to the megafreeporn website:
These files are essentially duplicates of files which have been previously installed:
Finally, the malware installs a file which is detected as Fraudtool:W32/SpywarePreventer.A:
Registry
The malware also makes a number of registry changes in order to display the installed files. Sample registry values would be:
Execution
Upon execution, the malware will immediately display the sc.html file, which appears to be a Windows Security Center warning that the system is infected.
The user is asked if they would like to scan and remove the (supposed) threats detected, which is the recommended option. If the user clicks on the "Yes" option in the dialog box, the malware will open this link in the browser:
The page opened contains the product that the malware is promoting.
Installation
The malware installs a variety of files on the system.
These files are all detected as Trojan-Downloader.Win32.Hoaxer.a:
• %programfiles%\PCHealthCenter\0.exe
• %programfiles%\PCHealthCenter\1.exe
• %programfiles%\PCHealthCenter\2.exe
• %programfiles%\PCHealthCenter\3.exe
• %programfiles%\PCHealthCenter\4.exe
• %programfiles%\PCHealthCenter\5.exe
• %programfiles%\PCHealthCenter\7.exe
These files are all image files used by the sc.html file:
• %programfiles%\PCHealthCenter\0.gif
• %programfiles%\PCHealthCenter\1.gif
• %programfiles%\PCHealthCenter\2.gif
• %programfiles%\PCHealthCenter\3.gif
• %programfiles%\PCHealthCenter\sc.html
These icons are for links to pornography sites:
• %programfiles%\PCHealthCenter\1.ico
• %programfiles%\PCHealthCenter\2.ico
In addition to icons for links, the malware also adds actual links to the megafreeporn website:
• %desktop%\QUALITY PORN.url
• %desktop%\BEST ZOO PORN.url
These files are essentially duplicates of files which have been previously installed:
• c:\x - same file as %programfiles%\PCHealthCenter\7.ex
• %windir%\system32\YUR.exe - same file as %programfiles%\PCHealthCenter\1.exe
• %windir%\system32\YUR.exe - same file as %programfiles%\PCHealthCenter\2.exe
• %windir%\system32\YUR.exe - same file as %programfiles%\PCHealthCenter\3.exe
• %windir%\system32\YUR.exe - same file as %programfiles%\PCHealthCenter\4.exe
• %windir%\system32\1.ico - same as %programfiles%\PCHealthCenter\1.ico
• %windir%\system32\2.ico - same as %programfiles%\PCHealthCenter\2.ico
Finally, the malware installs a file which is detected as Fraudtool:W32/SpywarePreventer.A:
• http://first-reason.com/data/x7/[...]/0000005378.exe
Registry
The malware also makes a number of registry changes in order to display the installed files. Sample registry values would be:
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\YUR1.exe = C:\Windows\system32\YUR1.exe
\YUR1.exe = C:\Windows\system32\YUR1.exe
• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\YUR1.exe = C:\Windows\system32\YUR1.exe
\YUR1.exe = C:\Windows\system32\YUR1.exe
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\YUR2.exe = C:\Windows\system32\YUR2.exe
\YUR2.exe = C:\Windows\system32\YUR2.exe
• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\YUR2.exe = C:\Windows\system32\YUR2.exe
\YUR2.exe = C:\Windows\system32\YUR2.exe
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\YUR3.exe = C:\Windows\system32\YUR3.exe
\YUR3.exe = C:\Windows\system32\YUR3.exe
• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\YUR3.exe = C:\Windows\system32\YUR3.exe
\YUR3.exe = C:\Windows\system32\YUR3.exe
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\YUR4.exe = C:\Windows\system32\YUR4.exe
\YUR4.exe = C:\Windows\system32\YUR4.exe
• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\YUR4.exe = C:\Windows\system32\YUR4.exe
\YUR4.exe = C:\Windows\system32\YUR4.exe
Execution
Upon execution, the malware will immediately display the sc.html file, which appears to be a Windows Security Center warning that the system is infected.
The user is asked if they would like to scan and remove the (supposed) threats detected, which is the recommended option. If the user clicks on the "Yes" option in the dialog box, the malware will open this link in the browser:
• http://scanner.vav-x-scanner.com/34/?advid=[...]5378&dsbndbinj&