TROJ_FAKEAV.MIR

This Trojan may be dropped by other malware.

It poses as an antispyware application that uses pop-up messages displayed on the System Tray to make users think that their systems are infected. This tricks users to purchase the complete version of the said application. When users agree to buy the software, it connects to a certain URL. It displays a window where users can purchase this fake antivirus program.

Arrival Details

This Trojan may be dropped by the following malware:

• TSPY_FAREIT.MIR

Installation

This Trojan drops the following copies of itself into the affected system:

• {All User's Profile}\Application Data\{random name}\{random name}.exe

It drops the following files:

• {All User's Profile}\Application Data\{random name}\{random name}.ico
• %Start Menu%\Programs\AVASoft Professional Antivirus\AVASoft Professional Antivirus.lnk
• %Desktop%\AVASoft Professional Antivirus.lnk
• {All Users' Profile}\Application Data\{random name}\{random name}

(Note: %Start Menu% is the current user's Start Menu folder, which is usually C:\Windows\Start Menu or C:\Documents and Settings\{User name}\Start Menu on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu on Windows Vista and 7.. %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\Desktop on Windows Vista and 7.)

It creates the following folders:

• %Start Menu%\Programs\AVASoft Professional Antivirus
• {All User's Profile}\Application Data\{random name}

(Note: %Start Menu% is the current user's Start Menu folder, which is usually C:\Windows\Start Menu or C:\Documents and Settings\{User name}\Start Menu on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu on Windows Vista and 7.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\RunOnce
{random name} = "{All User's Profile}\Application Data\{random name}\{random name}.exe"

Rogue Antivirus Routine

This Trojan poses as an antispyware application that uses pop-up messages on the System Tray to make users think that their systems are infected. This tricks users to purchase the complete version of the said application.

When users agree to buy the software, it connects to the following URL to continue the purchase:

• http://{BLOCKED}ersec.com/p
• http://{BLOCKED}me.com/p
• http://{BLOCKED}payme.com/p
• http://{BLOCKED}e-bill.com/p
• http://{BLOCKED}rketpay.com/p
• http://{BLOCKED}ysafe.com/p
• http://{BLOCKED}va-soft.org/p

The following window is displayed for users to purchase the fake antivirus program:

It displays the following window and pretends to scan the system:

NOTES:

It connects to the following URL to notify the malicious user that the FAKEAV is installed:

• http://{BLOCKED}.{BLOCKED}.29.181/api/stats/install/?ts=94ad74262c96e18686cb9435b9d812703ec86dd4&token=fya14oiYU
• http://{BLOCKED}.{BLOCKED}.29.181/api/stats/install/ts=94ad74262c96e18686cb9435b9d812703ec86dd4&token=fya14oiYU&affid=46700&ver=3070030&;group=ava

It connects to the following URL to notify the malicious user where the malware sent the credit card information entered by the victim:

• http://{BLOCKED}.{BLOCKED}.29.181/api/urls/?ts=94ad74262c96e18686cb9435b9d812703ec86dd4
• http://{BLOCKED}.{BLOCKED}.29.181/api/urls/?ts=94ad74262c96e18686cb9435b9d812703ec86dd4&affid=46700

This Trojan terminates processes except the following:

• alg.exe
• csrss.exe
• ctfmon.exe
• iexplore.exe
• lsass.exe
• services.exe
• smss.exe
• svchost.exe
• winlogon.exe