TROJ_FAKEAV.SMFB
Windows 98, ME, NT, 2000, XP, Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
However, as of this writing, the said sites are inaccessible.
It accesses websites to download files. This action allows this malware to possibly add other malware on the affected computer. It executes downloaded files whose malicious routines are exhibited by the affected system.
TECHNICAL DETAILS
Arrival Details
However, as of this writing, the said sites are inaccessible.
Installation
This Trojan drops the following copies of itself into the affected system:
- %Program Files%\Common Files\Microsoft Shared\DW\NetworkDW20.exe
- %Program Files%\Common Files\Microsoft Shared\Database Replication\Resources\1033\resdllwzcnfrc.exe
- %Program Files%\Common Files\Microsoft Shared\MSDesigners7\Resources\1033\StudioVisual.exe
- %Program Files%\Common Files\Microsoft Shared\MSENV\EnvironmentMicrosoft7.00.9064.9112.exe
- %Program Files%\Common Files\Microsoft Shared\TRANSLAT\ESEN\TranslationDictionaries.exe
- %Program Files%\Common Files\SpeechEngines\Microsoft\SR61\1033\EngineITNGRAM.exe
- %Program Files%\Common Files\System\MSMAPI\1033\OfficeMicrosoft1.0.2536.0.exe
- %Program Files%\Common Files\System\msadc\msadcoData.exe
- %Program Files%\MSN\MSNCoreFiles\POPCMicrosoftR.exe
- %Program Files%\Microsoft Office\MEDIA\OFFICE11\AUTOSHAP\versionMicrosoft.exe
- %Program Files%\Microsoft Office\OFFICE11\Migration\MIGRATEOffice11.0.5510.exe
- %Program Files%\Microsoft Office\OFFICE11\Migration\OfficeOffice11.0.5510.exe
(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)
Autostart Technique
This Trojan adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
MicrosoftEnvironment = %Program Files%\common files\microsoft shared\msenv\environmentmicrosoft7.00.9064.9112.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
MicrosoftOffice = %Program Files%\microsoft office\office11\migration\migrateoffice11.0.5510.ex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
MicrosoftOrganizer = %Program Files%\microsoft office\media\office11\autoshap\versionmicrosoft.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
SPSRXUIMicrosoft = Program Files%\common files\speechengines\microsoft\sr61\1033\engineitngram.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
TranslationMicrosoft1021091 = %Program Files%\common files\microsoft shared\translat\esen\translationdictionaries.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{malware name} = {malware path and name}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
msdfmapMicrosoft = %Program Files%\common files\system\msadc\msadcodata.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices
MicrosoftRMicrosoftR = %Program Files%\msn\msncorefiles\popcmicrosoftr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices
MicrosoftVisual = %Program Files%\common files\microsoft shared\msdesigners7\resources\1033\studiovisual.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices
OfficeMIGRATE = %Program Files%\microsoft office\office11\migration\officeoffice11.0.5510.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices
ReportingWatson = %Program Files%\common files\microsoft shared\dw\networkdw20.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices
bjablr32emsmdb32 = %Program Files%\common files\system\msmapi\1033\officemicrosoft1.0.2536.0.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices
{malware name} = {malware path and name}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices
wzcnfrcwzcnfrc = %Program Files%\common files\microsoft shared\database replication\resources\1033\resdllwzcnfrc.exe
Other System Modifications
This Trojan adds the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
MediaPlayer\Setup\Files
1 = {Random Hex Values}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
MediaPlayer\Setup\Files
2 = {Random Hex Values}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
MediaPlayer\Setup\Files
3 = {Random Hex Values}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
MediaPlayer\Setup\Files
4 = {Random Hex Values}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
MediaPlayer\Setup\Files
5 = {Random Hex Values}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
MediaPlayer\Setup\Files
6 = {Random Hex Values}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
MediaPlayer\Setup\Files
7 = {Random Hex Values}
Download Routine
This Trojan accesses websites to download the following files:
- http://{BLOCKED}place.biz/getfile.php
- http://{BLOCKED}place.biz/httpss/ldr123.php
It executes downloaded files :