TROJ_FAKEAV.PU

This Trojan may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Arrival Details

This Trojan may be dropped by other malware.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This Trojan creates the following folders:

• %Application Data%\{random numbers}

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

Download Routine

This Trojan accesses the following websites to download files:

• http://update1.{BLOCKED}roverwlentor119.net/index.php?{parameters}
• http://report1.{BLOCKED}roverwlentor119.net/?{parameters}

It saves the files it downloads using the following names:

• %Application Data%\{random numbers}\MySecurityShield.exe - called My Security Shield, which is detected as TROJ_FAKEAV.GAC

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.