TROJ_FAKEAV.JBR

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes then deletes itself afterward.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following component file(s):

• %User Temp%\6o4v7yr6ikfw18072u
• %AppDataLocal%\6o4v7yr6ikfw18072u
• %All Users Profile%\6o4v7yr6ikfw18072u (Windows Vista and higher versions)
• %All Users Profile%\Application Data\6o4v7yr6ikfw18072u (Versions lower than Windows Vista)
• %User Profile%\AppData\Roaming\Microsoft\Windows\Templates\6o4v7yr6ikfw18072u (Windows Vista and higher versions)
• %User Profile%\Templates\6o4v7yr6ikfw18072u (Versions lower than Windows Vista)

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7.. %All Users Profile% is the All Users or Common profile folder, which is C:\Documents and Settings\All Users in Windows 2000, XP, and Server 2003, and C:\ProgramData in Windows Vista and 7.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It drops the following copies of itself into the affected system:

• %AppDataLocal%\{three random letters}.exe

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7.)

It executes then deletes itself afterward.

Other System Modifications

This Trojan adds the following registry keys:

HKEY_CLASSES_ROOT\3ww

It adds the following registry entries:

HKEY_CLASSES_ROOT\3ww\shell\
open\command
Default = ""%AppDataLocal%\{three random letters}.exe" -a "%1" %*"

HKEY_CLASSES_ROOT\.exe\shell\
open\command
Default = ""%AppDataLocal%\{three random letters}.exe" -a "%1" %*"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
HideSCAHealth = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusOverride = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallOverride = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UpdatesDisableNotify = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile
EnableFirewall = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile
DoNotAllowExceptions = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile
DisableNotifications = "1"

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\
StartMenuInternet\IEXPLORE.EXE\shell\
open\command
Default = ""%AppDataLocal%\{three random letters}.exe" -a "%Program Files%\Internet Explorer\iexplore.exe""

(Note: The default value data of the said registry entry is Default = "%Program Files%\Internet Explorer\iexplore.exe".)

HKEY_CLASSES_ROOT\.exe
Default = "3ww"

(Note: The default value data of the said registry entry is "exefile".)

It deletes the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\wscsvc

Other Details

This Trojan connects to the following possibly malicious URL:

• {BLOCKED}7.com
• {BLOCKED}y.com