TROJ_FAKEAV.REO
Trojan.Win32.FakeAV.cvmr [Kaspersky] Rogue:Win32/FakeRean [Microsoft]
Windows 2000, Windows XP, Windows Server 2003
![](/vinfo/imgFiles/legend.jpg)
Threat Type: Trojan
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It modifies certain registry entries to disable Security Center functions. Doing this allows this malware to execute its routines without being detected.
It displays fake alerts that warn users of infection. It also displays fake scanning results of the affected system. It then asks for users to purchase it once scanning is completed. If users decide to purchase the rogue product, users are directed to a certain website asking for sensitive information, such as credit card numbers.
TECHNICAL DETAILS
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following files:
- %Root%\Documents and Settings\All Users\Application Data\2q7661e0ieqeq22yg12g
- %User Profile%\Local Settings\Application Data\2q7661e0ieqeq22yg12g
- %User Profile%\Local Settings\Temp\2q7661e0ieqeq22yg12g
- %User Profile%\Templates\2q7661e0ieqeq22yg12g
(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)
It drops the following copies of itself into the affected system:
- %User Profile%\Local Settings\Application Data\mcc.exe
(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)
Other System Modifications
This Trojan adds the following registry entries as part of its installation routine:
HKEY_CLASSES_ROOT\.exe\shell
HKEY_CLASSES_ROOT\.exe\shell\
runas
HKEY_CLASSES_ROOT\exefile\shell\
open\command
IsolatedCommand = "%1" %*
HKEY_CLASSES_ROOT\exefile\shell\
runas\command
IsolatedCommand = "%1" %*
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile
EnableFirewall = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile
DoNotAllowExceptions = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile
DisableNotifications = 1
It modifies the following registry entries:
HKEY_CLASSES_ROOT\exefile\shell\
open\command
(Default) = %User Profile%\Local Settings\Application Data\mcc.exe" -a "%1" %*
(Note: The default value data of the said registry entry is "%1" %*.)
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\
StartMenuInternet\FIREFOX.EXE\shell\
open\command
(Default) = "%User Profile%\Local Settings\Application Data\mcc.exe" -a "%Program Files%\Mozilla Firefox\firefox.exe"
(Note: The default value data of the said registry entry is %Program Files%\Mozilla Firefox\firefox.exe.)
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\
StartMenuInternet\FIREFOX.EXE\shell\
safemode\command
(Default) = "%User Profile%\Local Settings\Application Data\mcc.exe" -a "%Program Files%\Mozilla Firefox\firefox.exe" -safe-mode
(Note: The default value data of the said registry entry is "%Program Files%\Mozilla Firefox\firefox.exe" -safe-mode.)
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\
StartMenuInternet\IEXPLORE.EXE\shell\
open\command
(Default) = "%User Profile%\Local Settings\Application Data\mcc.exe" -a "%Program Files%\Internet Explorer\iexplore.exe"
(Note: The default value data of the said registry entry is "%Program Files%\Internet Explorer\iexplore.exe".)
It modifies the following registry entries to disable Security Center functions:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusDisableNotify = 1
(Note: The default value data of the said registry entry is 0.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallDisableNotify = 1
(Note: The default value data of the said registry entry is 0.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UpdatesDisableNotify = 1
(Note: The default value data of the said registry entry is 0.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusOverride = 1
(Note: The default value data of the said registry entry is 0.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallOverride = 1
(Note: The default value data of the said registry entry is 0.)
It deletes the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wuauserv
Other Details
This Trojan connects to the following possibly malicious URL:
- http://{BLOCKED}oqylalewe.com/1023000113
- http://{BLOCKED}udyto.com/1023000113
- http://{BLOCKED}ygerulusi.com/1023000113
- http://{BLOCKED}uvomopozy.com/1023000113
- http://{BLOCKED}ekis.com/1023000113
- http://{BLOCKED}avoriqofe.com/1023000113
- http://{BLOCKED}owydyni.com/1023000113
- http://{BLOCKED}ukoc.com/1023000113
- http://{BLOCKED}odudag.com/1023000113
- http://{BLOCKED}ocuqu.com/1023000113
- http://{BLOCKED}umex.com/1023000113
- http://{BLOCKED}anuvaz.com/1023000113
Rogue Antivirus Routine
This Trojan displays fake alerts that warn users of infection. It also displays fake scanning results of the affected system. It then asks for users to purchase it once scanning is completed. If users decide to purchase the rogue product, users are directed to a certain website asking for sensitive information, such as credit card numbers.