TROJ_FAKEAV.CMP

March 08, 2013
 Analysis by: Jaime Benigno Reyes
 ALIASES:

a variant of Win32/Kryptik.AWCU trojan (Nod32)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size:

302,080 bytes

File Type:

EXE

Memory Resident:

No

Initial Samples Received Date:

07 Mar 2013

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system:

  • %All Users Application Data%\mgqWPISksNJc.exe
  • %ProgramData%\mgqWPISksNJc.exe (Windows Vista and 7 only)

(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This is usually C:\ProgramData in Windows Vista and 7, or C:\Program Files on Windows 2000, XP (32-bit), and Server 2003, or C:\Program Files (x86) on Windows XP (64-bit).)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
mgqWPISksNJc.exe = "%All Users Application Data%\mgqWPISksNJc.exe"

Other System Modifications

This Trojan adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Associations

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Attachments

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System

It adds the following registry entries:

HKEY_CURRENT_USER\Software
nsreg = "{hex value}"

HKEY_CURRENT_USER\Software
rdc = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Associations
LowRiskFileTypes = ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Attachments
SaveZoneInformation = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = "1"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = "1"

It modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "0"

(Note: The default value data of the said registry entry is "2".)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"

(Note: The default value data of the said registry entry is "1".)

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Download
CheckExeSignatures = "no"

(Note: The default value data of the said registry entry is "yes".)

Other Details

This Trojan connects to the following possibly malicious URL:

  • http://{BLOCKED}oveentoes.com/updates/msupdate.dat
  • http://{BLOCKED}ofalonc.com/updates/msupdate.dat
  • http://{BLOCKED}athic.com/updates/msupdate.dat
  • http://{BLOCKED}oveentoes.com/updates/msupdate.dat
  • http://{BLOCKED}akeve.com/m.php?{random}
  • http://{BLOCKED}ofalonc.com/?{random}