TROJ_FAKEAV.ZZM

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to certain URLs. It may do this to remotely inform a malicious user of its installation. It may also do this to download possibly malicious files onto the computer, which puts the computer at a greater risk of infection by other threats. It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system. As of this writing, the said sites are inaccessible.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system:

• %System Root%\Documents and Settings\All Users\Application Data\{random name}\{random name}.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It drops the following files:

• %System Root%\Documents and Settings\All Users\Application Data\{random name}\{random name}

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It creates the following folders:

• %System Root%\Documents and Settings\All Users\Application Data\{random name}

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Download Routine

This Trojan connects to the following malicious URLs:

• http://{BLOCKED}.{BLOCKED}.53.223/install.php?affid={random number}

It accesses the following websites to download files:

• http://{BLOCKED}.{BLOCKED}.53.223/lurl.php?affid={random number}
• http://{BLOCKED}0.xxx.com/{unknown-0}.exe
• http://{BLOCKED}1.xxx.com/{unknown-1}.exe
• http://{BLOCKED}2.xxx.com/{unknown-2}.exe
• http://{BLOCKED}3.xxx.com/{unknown-3}.exe
• http://{BLOCKED}4.xxx.com/{unknown-4}.exe
• http://{BLOCKED}5.xxx.com/{unknown-5}.exe
• http://{BLOCKED}6.xxx.com/{unknown-6}.exe
• http://{BLOCKED}7.xxx.com/{unknown-7}.exe
• http://{BLOCKED}8.xxx.com/{unknown-8}.exe
• http://{BLOCKED}9.xxx.com/{unknown-9}.exe
• http://{BLOCKED}a.xxx.com/{unknown-10}.exe
• http://{BLOCKED}b.xxx.com/{unknown-11}.exe
• http://{BLOCKED}c.xxx.com/{unknown-12}.exe
• http://{BLOCKED}d.xxx.com/{unknown-13}.exe
• http://{BLOCKED}e.xxx.com/{unknown-14}.exe
• http://{BLOCKED}f.xxx.com/{unknown-15}.exe
• http://{BLOCKED}g.xxx.com/{unknown-16}.exe
• http://{BLOCKED}h.xxx.com/{unknown-17}.exe

It saves the files it downloads using the following names:

• %User Temp%\a{random hexadecimal number 1}.tmp
• %User Temp%\a{random hexadecimal number 2}.tmp
• %User Temp%\a{random hexadecimal number 3}.tmp
• %User Temp%\a{random hexadecimal number 4}.tmp
• %User Temp%\a{random hexadecimal number 5}.tmp
• %User Temp%\a{random hexadecimal number 6}.tmp
• %User Temp%\a{random hexadecimal number 7}.tmp
• %User Temp%\a{random hexadecimal number 8}.tmp
• %User Temp%\a{random hexadecimal number 9}.tmp
• %User Temp%\a{random hexadecimal number 10}.tmp
• %User Temp%\a{random hexadecimal number 11}.tmp
• %User Temp%\a{random hexadecimal number 12}.tmp
• %User Temp%\a{random hexadecimal number 13}.tmp
• %User Temp%\a{random hexadecimal number 14}.tmp
• %User Temp%\a{random hexadecimal number 15}.tmp
• %User Temp%\a{random hexadecimal number 16}.tmp
• %User Temp%\a{random hexadecimal number 17}.tmp
• %User Temp%\a{random hexadecimal number 18}.tmp
• %User Temp%\a{random hexadecimal number 19}.tmp

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

As of this writing, the said sites are inaccessible.