TROJ_FAKESYS

FAKEAV variants arrive on systems via compromised websites, spammed malicious links; poisoned search results that lead to FAKEAV download pages, malicious posts on social networking sites, and malicious advertisements. They may also be downloaded by other malware.

Since 2008, FAKEAV rode on the popularity of disastrous events such as the 9/11 attacks or the Great East Japan Earthquake. FAKEAV also takes advantage of celebrity names like Paris Hilton in order to victimize users. Cybercriminals behind FAKEAV scare its victims by showing fake system infections until the victims download or decide to purchase the fake antivirus product.

Other routines of FAKEAV malware include connecting to adult sites and blocking rootkit detection tools such as GMER and Rootkitbuster to prevent easy removal from affected systems. Later variants of FAKEAV target Macs and spread via social networking sites such as Twitter and Facebook.

There are various operators behind pushing FAKEAV malware. Apart from the creators of the fake anti-malware file, there are traffic redirectors, site compromisers, bot herders, exploit kit creators, and other cybercriminal underground entities that push, and benefit, from the operation of FAKEAV.

This Trojan employs registry shell spawning by adding certain registry entries. This allows this malware to execute even when other applications are opened.

Installation

This Trojan drops the following copies of itself into the affected system:

• %Application Data%\av.exe
• %Application Data%\ave.exe
• %Windows%\msa.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.. %Windows% is the Windows folder, which is usually C:\Windows.)

It drops the following files:

• %Application Data%\1S7p66
• %Application Data%\1gx8VwiF
• %Application Data%\3pxrV41BG
• %Application Data%\Oiitd0ys0jFnW
• %Application Data%\PQ608daGr
• %Application Data%\U0k0MQl
• %Application Data%\g1oOP77
• %Application Data%\oY0vtai
• %System Root%\Documents and Settings\All Users\Application Data\1S7p66
• %System Root%\Documents and Settings\All Users\Application Data\PQ608daGr
• %System Root%\Documents and Settings\All Users\Application Data\oY0vtai
• %User Profile%\Templates\1S7p66
• %User Profile%\Templates\PQ608daGr
• %User Profile%\Templates\oY0vtai
• %User Temp%\1S7p66
• %User Temp%\PQ608daGr
• %User Temp%\oY0vtai
• %WIndows%\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job
• %Windows%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %Windows% is the Windows folder, which is usually C:\Windows.)

Autostart Technique

This Trojan employs registry shell spawning to ensure its execution when certain file types are accessed by adding the following entries:

HKEY_CLASSES_ROOT\secfile\shell\
open\command
(Default) = ""%Application Data%\av.exe" /START "%1" %*"

HKEY_CLASSES_ROOT\.exe\shell\
open\command
(Default) = ""%Application Data%\av.exe" /START "%1" %*"

HKEY_CLASSES_ROOT\secfile\shell\
open\command
(Default) = ""%Application Data%\ave.exe" /START "%1" %*"

HKEY_CLASSES_ROOT\.exe\shell\
open\command
(Default) = ""%Application Data%\ave.exe" /START "%1" %*"

Other System Modifications

This Trojan adds the following registry keys:

HKEY_CURRENT_USER\Software\NordBull

HKEY_CURRENT_USER\Software\4VDD85L8NF

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows
Identity = "{hex value}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile
EnableFirewall = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile
DoNotAllowExceptions = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile
DisableNotifications = "1"

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallDisableNotify = "1"

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
EnableFirewall = "0"

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
DisableNotifications = "1"

(Note: The default value data of the said registry entry is 0.)

HKEY_CLASSES_ROOT\.exe
(Default) = "secfile"

(Note: The default value data of the said registry entry is exefile.)

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\
StartMenuInternet\FIREFOX.EXE\shell\
open\command
(Default) = ""%Application Data%\av.exe" /START "%Program Files%\Mozilla Firefox\firefox.exe""

(Note: The default value data of the said registry entry is %Program Files%\Mozilla Firefox\firefox.exe.)

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\
StartMenuInternet\FIREFOX.EXE\shell\
safemode\command
(Default) = ""%Application Data%\av.exe" /START "%Program Files%\Mozilla Firefox\firefox.exe" -safe-mode"

(Note: The default value data of the said registry entry is %Program Files%\Mozilla Firefox\firefox.exe" -safe-mode".)

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\
StartMenuInternet\IEXPLORE.EXE\shell\
open\command
(Default) = ""%Application Data%\av.exe" /START "%Program Files%\Internet Explorer\iexplore.exe""

(Note: The default value data of the said registry entry is %Program Files%\Internet Explorer\iexplore.exe.)

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\
StartMenuInternet\FIREFOX.EXE\shell\
open\command
(Default) = ""%Application Data%\ave.exe" /START "%Program Files%\Mozilla Firefox\firefox.exe""

(Note: The default value data of the said registry entry is %Program Files%\Mozilla Firefox\firefox.exe.)

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\
StartMenuInternet\FIREFOX.EXE\shell\
safemode\command
(Default) = ""%Application Data%\ave.exe" /START "%Program Files%\Mozilla Firefox\firefox.exe" -safe-mode"

(Note: The default value data of the said registry entry is %Program Files%\Mozilla Firefox\firefox.exe" -safe-mode".)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusDisableNotify = "1"

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UpdatesDisableNotify = "1"

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusOverride = "1"

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallOverride = "1"

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess
Start = "4"

(Note: The default value data of the said registry entry is 2.)

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\
StartMenuInternet\IEXPLORE.EXE\shell\
open\command
(Default) = ""%Application Data%\ave.exe" /START "%Program Files%\Internet Explorer\iexplore.exe""

(Note: The default value data of the said registry entry is %Program Files%\Internet Explorer\iexplore.exe.)

Other Details

This Trojan connects to the following possibly malicious URL:

• {BLOCKED}tubae.com
• {BLOCKED}lino.com
• {BLOCKED}rawe.com
• {BLOCKED}s-live-one1.com
• {BLOCKED}s-one-care2010.com
• {BLOCKED}rilos.com
• {BLOCKED}dovk.com
• {BLOCKED}s.com
• {BLOCKED}security.com
• {BLOCKED}uritygroup.com
• {BLOCKED}dat.com
• {BLOCKED}a.com
• {BLOCKED}elo.com
• {BLOCKED}security.com
• {BLOCKED}iokas.com
• {BLOCKED}oqe.com
• {BLOCKED}holu.com
• {BLOCKED}odert.com
• {BLOCKED}e.com
• {BLOCKED}itydirect.com
• {BLOCKED}formationsecurity.com
• {BLOCKED}l.com
• {BLOCKED}inos.com
• {BLOCKED}lsecurity.com
• {BLOCKED}securityinside.com
• {BLOCKED}ioskal.com
• {BLOCKED}anumba.com
• {BLOCKED}erfu.com
• {BLOCKED}tunad.com
• {BLOCKED}care.com
• {BLOCKED}care2010.com
• {BLOCKED}are.com
• {BLOCKED}are2010.com
• {BLOCKED}are2010.com
• {BLOCKED}opergul.com
• {BLOCKED}securityorg.com
• {BLOCKED}ityonline.com
• {BLOCKED}ecurityregistry.com
• {BLOCKED}-antivirus.com
• {BLOCKED}-antivirus2010.com
• {BLOCKED}antivirus2010.com
• {BLOCKED}rtahul.com
• {BLOCKED}libom.com
• {BLOCKED}ive.com
• {BLOCKED}care.com
• {BLOCKED}are.com
• {BLOCKED}are2010.com
• {BLOCKED}ive-2010.com
• {BLOCKED}ws-live.com
• {BLOCKED}ve-2010.com
• {BLOCKED}ve.com
• {BLOCKED}ive.com
• {BLOCKED}010.com
• {BLOCKED}ve.com
• {BLOCKED}e.com
• {BLOCKED}tuga.com
• {BLOCKED}lerda.com
• {BLOCKED}curityguide.com
• {BLOCKED}ertug.com
• {BLOCKED}erade.com
• {BLOCKED}-pc-care.com
• {BLOCKED}-pccare.com
• {BLOCKED}-pccare2010.com
• {BLOCKED}pc-care.com
• {BLOCKED}pccare.com
• {BLOCKED}pccare2010.com
• {BLOCKED}usaonline.com
• {BLOCKED}balin.com
• {BLOCKED}a.com
• {BLOCKED}uval.com
• {BLOCKED}uritydirect.com
• {BLOCKED}rduma.com
• {BLOCKED}kert.com
• {BLOCKED}niko.com
• {BLOCKED}lion.com
• {BLOCKED}rtag.com
• {BLOCKED}mertu.com
• {BLOCKED}ertuh.com
• {BLOCKED}-care.com
• {BLOCKED}-care2010.com
• {BLOCKED}live-care.com
• {BLOCKED}pccare.com
• {BLOCKED}care2010.com
• {BLOCKED}care21.com
• {BLOCKED}rityinfo.com
• {BLOCKED}rityplus.com
• {BLOCKED}formationsecurity.com