TROJ_FAKEAV.KQWL

This Trojan poses as a legitimate antivirus software using various commercial names. Similar to other FAKEAV variants, TROJ_FAKEAV.KQWL also displays several graphical users interfaces (GUIs) to users in an attempt to convince them of system infection and to purchase this purported cleaning software.

To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.

Once users have decided to purchase this rogue product, they are then directed to a website asking for some information, such as their credit card numbers.

It shows fake online AV scan results in order to lure the user to install itself.

This Trojan may be unknowingly downloaded by a user while visiting malicious websites. It may be manually installed by a user.

It connects to certain websites to send and receive information. However, as of this writing, the said sites are inaccessible.

Arrival Details

This Trojan may be unknowingly downloaded by a user while visiting malicious websites.

It may be manually installed by a user.

Installation

This Trojan drops the following files:

• %User Temp%\skahgfhasd.bat - file used to delete itself

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

It drops the following copies of itself into the affected system:

• %User Profile%\Application Data\hotfix.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "%User Profile%\Application Data\hotfix.exe"

Other System Modifications

This Trojan adds the following registry keys:

HKEY_CURRENT_USER\Software\PID

Process Termination

This Trojan terminates the following processes if found running in the affected system's memory:

• ACDaemon.exe
• ACService.exe
• AcroRd32.exe
• Acrobat.exe
• Acrobat_sl.exe
• Acrotray.exe
• Adobe Media Player.exe
• AdobeARM.exe
• AdobeUpdater.exe
• Adobe_Updater.exe
• AppleMobileDeviceHelper.exe
• AppleMobileDeviceService.exe
• ApplicationUpdater.exe
• BDTUpdateService.exe
• BJMyPrt.exe
• Babylon.exe
• BabylonAgent.exe
• Bandoo.exe
• BandooUI.exe
• BcmSqlStartupSvc.exe
• CEC_MAIN.exe
• CLCapSvc.exe
• CLMLSvc.exe
• CLMSServer.exe
• CLSched.exe
• COCIManager.exe
• CSmileysIM.exe
• CTsvcCDA.exe
• DVDAgent.exe
• DVDLauncher.exe
• DellVideoChat.exe
• DesktopWeather.exe
• DivXUpdate.exe
• EasyShare.exe
• FlashUtil10a.exe
• FlashUtil10b.exe
• FlashUtil10c.exe
• FlashUtil10d.exe
• FlashUtil10e.exe
• FlashUtil10h_ActiveX.exe
• FlashUtil10i_ActiveX.exe
• FrostWire.exe
• GoogleDesktop.exe
• GoogleDesktopCrawl.exe
• GoogleDesktopDisplay.exe
• GoogleDesktopIndex.exe
• GoogleToolbarInstaller_updater_signed.exe
• GoogleToolbarUser.exe
• GoogleUpdater.exe
• ICQ Service.exe
• IELowutil.exe
• IEMonitor.exe
• IEUser.exe
• KodakSvc.exe
• LWS.exe
• LimeWire.exe
• LogitechDesktopMessenger.exe
• LogitechUpdate.exe
• MSCamS32.exe
• Monitor.exe
• MySpaceIM.exe
• NBService.exe
• NMBgMonitor.exe
• NMIndexStoreSvr.exe
• NMIndexingService.exe
• NkMonitor.exe
• PCMAgent.exe
• PDVDDXSrv.exe
• PDVDServ.exe
• PMVService.exe
• PhotoshopElementsFileAgent.exe
• PictureMover.exe
• Quickcam.exe
• Reader_sl.exe
• RealPlay.exe
• RichVideo.exe
• RoxWatch9.exe
• SeaPort.exe
• SearchProtection.exe
• SiteRankTray.exe
• Skype.exe
• SkypeNames.exe
• SkypeNames2.exe
• SmoothView.exe
• SoftwareUpdate.exe
• SweetIM.exe
• TNaviSrv.exe
• TVAgent.exe
• TWebCamera.exe
• TWebCameraSrv.exe
• TomTomHOMERunner.exe
• TomTomHOMEService.exe
• ULCDRSvr.exe
• ViewMgr.exe
• WLIDSvcM.exe
• Weather.exe
• WebcamDell.exe
• WerCon.exe
• YMailAdvisor.exe
• YahooAUService.exe
• YahooMessenger.exe
• YouCam.exe
• ZuneLauncher.exe
• aim.exe
• aim6.exe
• apdproxy.exe
• bittorrent.exe
• chrome.exe
• cmd.exe
• ehRecvr.exe
• ehmsas.exe
• ezprint.exe
• firefox.exe
• gamevance32.exe
• iPodService.exe
• iTunes.exe
• iTunesHelper.exe
• iWinTrusted.exe
• iexplore.exe
• iviRegMgr.exe
• java.exe
• javaw.exe
• lexbces.exe
• mcrdsvc.exe
• msmsgs.exe
• msn.exe
• msnmsgr.exe
• onenotem.exe
• ooVoo.exe
• opera.exe
• outlook.exe
• pctsAuxs.exe
• pctsSvc.exe
• plugin-container.exe
• prismxl.sys
• qttask.exe
• realsched.exe
• regedit.exe
• rstrui.exe
• safari.exe
• shellmon.exe
• skypePM.exe
• sprtsvc.exe
• taskmgr.exe
• tfswctrl.exe
• traybar.exe
• uTorrent.exe
• update.exe
• winamp.exe
• winampa.exe
• winword.exe
• wlcomm.exe
• wlidsvc.exe
• wmplayer.exe
• wzqkpick.exe
• ymsgr_tray.exe

Download Routine

This Trojan connects to the following URL(s) to download its component file(s):

• http:\\{BLOCKED}.{BLOCKED}.191.174\wrwer.exe

Other Details

This Trojan connects to the following website to send and receive information:

• {BLOCKED}.{BLOCKED}.191.174
• {BLOCKED}.{BLOCKED}.191.180

However, as of this writing, the said sites are inaccessible.

Rogue Antivirus Routine

This Trojan displays the following fake alerts:

NOTES:

It displays fake alerts that warn users of infection. It also displays fake scanning results of the infected system. It then asks for users to purchase it once scanning is completed. Once users have decided to purchase this rogue product, users are then directed to the following website asking for some information, such as their credit card numbers:

• {BLOCKED}.{BLOCKED}.191.180

It saves installation information in the following registries:

HKEY_CURRENT_USER\Software\PID
install = "complete"
product = "{GUI name}"

It shows the following fake online AV scan results in order to lure the user to install itself:

It may use any of the following GUIs: