TROJ_FAKEAV
FakeRean, Renos, FakeAlert, FakeAlerter, Renos, FraudPack
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
FAKEAV variants arrive on systems via compromised websites, spammed malicious links; poisoned search results that lead to FAKEAV download pages, malicious posts on social networking sites, and malicious advertisements. They may also be downloaded by other malware.
Since 2008, FAKEAV rode on the popularity of disastrous events such as the 9/11 attacks or the Great East Japan Earthquake. FAKEAV also takes advantage of celebrity names like Paris Hilton in order to victimize users. Cybercriminals behind FAKEAV scare its victims by showing fake system infections until the victims download or decide to purchase the fake antivirus product.
Other routines of FAKEAV malware include connecting to adult sites and blocking rootkit detection tools such as GMER and Rootkitbuster to prevent easy removal from affected systems. Later variants of FAKEAV target Macs and spread via social networking sites such as Twitter and Facebook.
There are various operators behind pushing FAKEAV malware. Apart from the creators of the fake anti-malware file, there are traffic redirectors, site compromisers, bot herders, exploit kit creators, and other cybercriminal underground entities that push, and benefit, from the operation of FAKEAV.
This Trojan employs registry shell spawning by adding certain registry entries. This allows this malware to execute even when other applications are opened.
TECHNICAL DETAILS
Installation
This Trojan drops the following copies of itself into the affected system:
- %Application Data%\av.exe
- %Application Data%\ave.exe
- %Windows%\msa.exe
(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)
It drops the following files:
- %Application Data%\1S7p66
- %Application Data%\1gx8VwiF
- %Application Data%\3pxrV41BG
- %Application Data%\Oiitd0ys0jFnW
- %Application Data%\PQ608daGr
- %Application Data%\U0k0MQl
- %Application Data%\g1oOP77
- %Application Data%\oY0vtai
- %System Root%\Documents and Settings\All Users\Application Data\1S7p66
- %System Root%\Documents and Settings\All Users\Application Data\PQ608daGr
- %System Root%\Documents and Settings\All Users\Application Data\oY0vtai
- %User Profile%\Templates\1S7p66
- %User Profile%\Templates\PQ608daGr
- %User Profile%\Templates\oY0vtai
- %User Temp%\1S7p66
- %User Temp%\PQ608daGr
- %User Temp%\oY0vtai
- %WIndows%\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job
- %Windows%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.. %User Profile% is a user's profile folder, where it usually is C:\Documents and Settings\{user name} on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name} on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)
Autostart Technique
This Trojan employs registry shell spawning to ensure its execution when certain file types are accessed by adding the following entries:
HKEY_CLASSES_ROOT\secfile\shell\
open\command
(Default) = ""%Application Data%\av.exe" /START "%1" %*"
HKEY_CLASSES_ROOT\.exe\shell\
open\command
(Default) = ""%Application Data%\av.exe" /START "%1" %*"
HKEY_CLASSES_ROOT\secfile\shell\
open\command
(Default) = ""%Application Data%\ave.exe" /START "%1" %*"
HKEY_CLASSES_ROOT\.exe\shell\
open\command
(Default) = ""%Application Data%\ave.exe" /START "%1" %*"
Other System Modifications
This Trojan adds the following registry keys:
HKEY_CURRENT_USER\Software\NordBull
HKEY_CURRENT_USER\Software\4VDD85L8NF
It adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows
Identity = "{hex value}"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile
EnableFirewall = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile
DoNotAllowExceptions = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile
DisableNotifications = "1"
It modifies the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallDisableNotify = "1"
(Note: The default value data of the said registry entry is 0.)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
EnableFirewall = "0"
(Note: The default value data of the said registry entry is 1.)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
DisableNotifications = "1"
(Note: The default value data of the said registry entry is 0.)
HKEY_CLASSES_ROOT\.exe
(Default) = "secfile"
(Note: The default value data of the said registry entry is exefile.)
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\
StartMenuInternet\FIREFOX.EXE\shell\
open\command
(Default) = ""%Application Data%\av.exe" /START "%Program Files%\Mozilla Firefox\firefox.exe""
(Note: The default value data of the said registry entry is %Program Files%\Mozilla Firefox\firefox.exe.)
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\
StartMenuInternet\FIREFOX.EXE\shell\
safemode\command
(Default) = ""%Application Data%\av.exe" /START "%Program Files%\Mozilla Firefox\firefox.exe" -safe-mode"
(Note: The default value data of the said registry entry is %Program Files%\Mozilla Firefox\firefox.exe" -safe-mode".)
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\
StartMenuInternet\IEXPLORE.EXE\shell\
open\command
(Default) = ""%Application Data%\av.exe" /START "%Program Files%\Internet Explorer\iexplore.exe""
(Note: The default value data of the said registry entry is %Program Files%\Internet Explorer\iexplore.exe.)
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\
StartMenuInternet\FIREFOX.EXE\shell\
open\command
(Default) = ""%Application Data%\ave.exe" /START "%Program Files%\Mozilla Firefox\firefox.exe""
(Note: The default value data of the said registry entry is %Program Files%\Mozilla Firefox\firefox.exe.)
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\
StartMenuInternet\FIREFOX.EXE\shell\
safemode\command
(Default) = ""%Application Data%\ave.exe" /START "%Program Files%\Mozilla Firefox\firefox.exe" -safe-mode"
(Note: The default value data of the said registry entry is %Program Files%\Mozilla Firefox\firefox.exe" -safe-mode".)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusDisableNotify = "1"
(Note: The default value data of the said registry entry is 0.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UpdatesDisableNotify = "1"
(Note: The default value data of the said registry entry is 0.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusOverride = "1"
(Note: The default value data of the said registry entry is 0.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallOverride = "1"
(Note: The default value data of the said registry entry is 0.)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess
Start = "4"
(Note: The default value data of the said registry entry is 2.)
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\
StartMenuInternet\IEXPLORE.EXE\shell\
open\command
(Default) = ""%Application Data%\ave.exe" /START "%Program Files%\Internet Explorer\iexplore.exe""
(Note: The default value data of the said registry entry is %Program Files%\Internet Explorer\iexplore.exe.)
Other Details
This Trojan connects to the following possibly malicious URL:
- {BLOCKED}tubae.com
- {BLOCKED}lino.com
- {BLOCKED}rawe.com
- {BLOCKED}s-live-one1.com
- {BLOCKED}s-one-care2010.com
- {BLOCKED}rilos.com
- {BLOCKED}dovk.com
- {BLOCKED}s.com
- {BLOCKED}security.com
- {BLOCKED}uritygroup.com
- {BLOCKED}dat.com
- {BLOCKED}a.com
- {BLOCKED}elo.com
- {BLOCKED}security.com
- {BLOCKED}iokas.com
- {BLOCKED}oqe.com
- {BLOCKED}holu.com
- {BLOCKED}odert.com
- {BLOCKED}e.com
- {BLOCKED}itydirect.com
- {BLOCKED}formationsecurity.com
- {BLOCKED}l.com
- {BLOCKED}inos.com
- {BLOCKED}lsecurity.com
- {BLOCKED}securityinside.com
- {BLOCKED}ioskal.com
- {BLOCKED}anumba.com
- {BLOCKED}erfu.com
- {BLOCKED}tunad.com
- {BLOCKED}care.com
- {BLOCKED}care2010.com
- {BLOCKED}are.com
- {BLOCKED}are2010.com
- {BLOCKED}are2010.com
- {BLOCKED}opergul.com
- {BLOCKED}securityorg.com
- {BLOCKED}ityonline.com
- {BLOCKED}ecurityregistry.com
- {BLOCKED}-antivirus.com
- {BLOCKED}-antivirus2010.com
- {BLOCKED}antivirus2010.com
- {BLOCKED}rtahul.com
- {BLOCKED}libom.com
- {BLOCKED}ive.com
- {BLOCKED}care.com
- {BLOCKED}are.com
- {BLOCKED}are2010.com
- {BLOCKED}ive-2010.com
- {BLOCKED}ws-live.com
- {BLOCKED}ve-2010.com
- {BLOCKED}ve.com
- {BLOCKED}ive.com
- {BLOCKED}010.com
- {BLOCKED}ve.com
- {BLOCKED}e.com
- {BLOCKED}tuga.com
- {BLOCKED}lerda.com
- {BLOCKED}curityguide.com
- {BLOCKED}ertug.com
- {BLOCKED}erade.com
- {BLOCKED}-pc-care.com
- {BLOCKED}-pccare.com
- {BLOCKED}-pccare2010.com
- {BLOCKED}pc-care.com
- {BLOCKED}pccare.com
- {BLOCKED}pccare2010.com
- {BLOCKED}usaonline.com
- {BLOCKED}balin.com
- {BLOCKED}a.com
- {BLOCKED}uval.com
- {BLOCKED}uritydirect.com
- {BLOCKED}rduma.com
- {BLOCKED}kert.com
- {BLOCKED}niko.com
- {BLOCKED}lion.com
- {BLOCKED}rtag.com
- {BLOCKED}mertu.com
- {BLOCKED}ertuh.com
- {BLOCKED}-care.com
- {BLOCKED}-care2010.com
- {BLOCKED}live-care.com
- {BLOCKED}pccare.com
- {BLOCKED}care2010.com
- {BLOCKED}care21.com
- {BLOCKED}rityinfo.com
- {BLOCKED}rityplus.com