TROJ_FAKEAV.XZ

October 09, 2012
 Analysis by: Roland Marco Dela Paz
 ALIASES:

Trojan:Win32/FakeSysdef (Microsoft); FakeAlert-SysDef.b (Mcafee)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It modifies the Internet Explorer Zone Settings.

It connects to certain websites to send and receive information.

  TECHNICAL DETAILS

File Size:

Varies

File Type:

EXE

Initial Samples Received Date:

17 Feb 2012

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

  • %System Root%\Documents and Settings\All Users\Application Data\{random}
  • %User Profile%\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
  • %Desktop%\System Check.lnk
  • %Start Menu%\Programs\System Check\System Check.lnk
  • %Start Menu%\Programs\System Check\Uninstall System Check.lnk

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.. %Desktop% is the current user's desktop, which is usually C:\Windows\Profiles\{user name}\Desktop on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Desktop on Windows NT, and C:\Documents and Settings\{User Name}\Desktop on Windows 2000, XP, and Server 2003.. %Start Menu% is the current user's Start Menu folder, which is usually C:\Windows\Profiles\{user name}\Start Menu on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu on Windows NT and C:\Windows\Start Menu or C:\Documents and Settings\{User name}\Start Menu on Windows 2000, XP, and Server 2003.)

It drops the following copies of itself into the affected system:

  • %System Root%\Documents and Settings\All Users\Application Data\{random}.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It creates the following folders:

  • %Start Menu%\Programs\System Check

(Note: %Start Menu% is the current user's Start Menu folder, which is usually C:\Windows\Profiles\{user name}\Start Menu on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu on Windows NT and C:\Windows\Start Menu or C:\Documents and Settings\{User name}\Start Menu on Windows 2000, XP, and Server 2003.)

Other System Modifications

This Trojan adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
ESENT\Process\{random1}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
ESENT\Process\{random2}

It adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Control Panel
5761b2dc-ce77-4bfa-b965-6f33b1867cf2 =

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Use FormSuggest = "Yes"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
WarnOnZoneCrossing = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
WarnonBadCertRecving = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
CertificateRevocation = "0"

Web Browser Home Page and Search Page Modification

This Trojan modifies the Internet Explorer Zone Settings.

Other Details

This Trojan connects to the following website to send and receive information:

  • {BLOCKED}areditusin.com
  • {BLOCKED}mygotar.com
  • {BLOCKED}dhyperca.com
  • {BLOCKED}izicartax.com
  • {BLOCKED}randi.com
  • {BLOCKED}binew.com
  • {BLOCKED}obuldcar.com