TROJ_FAKEAV.FGY

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes the files it drops, prompting the affected system to exhibit the malicious routines they contain.

It modifies the affected system's HOSTS files. This prevents users from accessing certain websites.

It deletes the initially executed copy of itself.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system:

• %System%\Cloud AV 2012v121.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It terminates the execution of the copy it initially executed and executes the copy it drops instead.

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random characters} = "%System%\Cloud AV 2012v121.exe"

Dropping Routine

This Trojan drops the following files:

• %User Temp%\dwme.exe
• %Application Data%\dwme.exe
• %Desktop%\Cloud AV 2012.lnk
• %Application Data%\ahst.lni
• %Start Menu%\Programs\Cloud AV 2012\Cloud AV 2012.lnk
• %Application Data%\{random characters}\Cloud AV 2012.ico

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.. %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.. %Desktop% is the current user's desktop, which is usually C:\Windows\Profiles\{user name}\Desktop on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Desktop on Windows NT, and C:\Documents and Settings\{User Name}\Desktop on Windows 2000, XP, and Server 2003.. %Start Menu% is the current user's Start Menu folder, which is usually C:\Windows\Profiles\{user name}\Start Menu on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu on Windows NT and C:\Windows\Start Menu or C:\Documents and Settings\{User name}\Start Menu on Windows 2000, XP, and Server 2003.)

It executes the files it drops, prompting the affected system to exhibit the malicious routines they contain.

HOSTS File Modification

This Trojan adds the following strings to the Windows HOSTS file:

• {BLOCKED}.{BLOCKED}.179.84 craigslist.org
• {BLOCKED}.{BLOCKED}.179.110 comcast.net
• {BLOCKED}.{BLOCKED}.179.84 facebook.com
• {BLOCKED}.{BLOCKED}.179.84 myspace.com
• {BLOCKED}.{BLOCKED}.179.84 Monster.com
• {BLOCKED}.{BLOCKED}.179.84 Expedia.com
• {BLOCKED}.{BLOCKED}.179.84 flickr.com
• {BLOCKED}.{BLOCKED}.179.84 amazon.com
• {BLOCKED}.{BLOCKED}.179.84 yahoo.com
• {BLOCKED}.{BLOCKED}.179.110 cnn.com
• {BLOCKED}.{BLOCKED}.179.84 imdb.com
• {BLOCKED}.{BLOCKED}.179.110 go.com
• {BLOCKED}.{BLOCKED}.179.84 ebay.com
• {BLOCKED}.{BLOCKED}.179.84 digg.com
• {BLOCKED}.{BLOCKED}.122.156 wikipedia.org
• {BLOCKED}.{BLOCKED}.122.156 youtube.com
• {BLOCKED}.{BLOCKED}.122.156 google.com
• {BLOCKED}.{BLOCKED}.122.156 Paypal.com

Other Details

This Trojan deletes the initially executed copy of itself