WORM_FAKEFLDR.AC
Trojan:Win32/Fakefolder.C (Microsoft); Worm.Win32.FakeFolder.a (Kaspersky); Worm.FakeFolder (VBA32); Trojan.Win32.Fakefolder (Ikarus); W32/FakeFolder.A!worm (Fortinet); Trojan/Win32.FakeFolder (AhnLab-V3); W32/FakeFolder.A (F-Prot)
Windows
![](/vinfo/imgFiles/legend.jpg)
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
55,296 bytes
EXE
17 Jun 2014
Arrival Details
This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Autostart Technique
This worm creates the following registry entries to enable automatic execution of dropped component at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
(Default) = "%Program Files%\system.caca"
Other System Modifications
This worm adds the following registry keys:
HKEY_CLASSES_ROOT\.caca
HKEY_CLASSES_ROOT\cacafile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.caca
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
cacafile
It adds the following registry entries:
HKEY_CLASSES_ROOT\.caca
(Default) = "cacafile"
HKEY_CLASSES_ROOT\cacafile\shell\
open\command
(Default) = "%Program Files%\Internet Explorer\WINLOGON.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.caca
(Default) = "cacafile"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
cacafile\shell\open\
command
(Default) = "%Program Files%\Internet Explorer\WINLOGON.exe"
Propagation
This worm creates the following folders in all removable drives:
- {removable drive letter}:\MyDocuments
It drops copies of itself in the following drives:
- {removable drive letter}:\MyDocument.exe
Dropping Routine
This worm drops the following files:
- %Program Files%\system.caca
- %Program Files%\Internet Explorer\WINLOGON.exe
- {removable drive letter}:\MyDocument\{files and folders in removable drive}
(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)