TROJ_FAKEAV.SM96
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This Trojan may be downloaded by other malware/grayware/spyware from remote sites. It may be unknowingly downloaded by a user while visiting malicious websites.
It uses Windows Task Scheduler to create a scheduled task that executes the dropped copy.
TECHNICAL DETAILS
Varies
EXE
Yes
18 May 2011
Arrival Details
This Trojan may be downloaded by other malware/grayware/spyware from remote sites.
It may be unknowingly downloaded by a user while visiting malicious websites.
Installation
This Trojan drops the following copies of itself into the affected system:
- %Windows%\Gcawoa.exe
(Note: %Windows% is the Windows folder, which is usually C:\Windows.)
It uses Windows Task Scheduler to create a scheduled task that executes the dropped copy.
Other System Modifications
This Trojan adds the following registry keys:
HKEY_CURRENT_USER\Software\{random characters}
It adds the following registry entries:
HKEY_CURRENT_USER\Software\{random characters}
{random characters} = {random characters}
Other Details
This Trojan connects to the following possibly malicious URL:
- http://{BLOCKED}r.com/1wave.php
- http://{BLOCKED}it.com/1wave.php
- http://{BLOCKED}ary.com/1wave.php
- http://{BLOCKED}j.com/1wave.php