TROJ_FAKETC.A

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be manually installed by a user.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be manually installed by a user.

Installation

This Trojan drops the following files:

• %Program Files%\TrueCrypt\TrueCrypt User Guide.pdf
• %Program Files%\TrueCrypt\License.txt
• %Program Files%\TrueCrypt\TrueCrypt.exe
• %Program Files%\TrueCrypt\TrueCrypt Format.exe
• %Program Files%\TrueCrypt\truecrypt.sys
• %Program Files%\TrueCrypt\truecrypt-x64.sys
• %Program Files%\TrueCrypt\TrueCrypt Setup.exe
• %System%\drivers\truecrypt.sys;

(Note: %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It creates the following folders:

• %Program Files%\TrueCrypt

(Note: %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)

Autostart Technique

This Trojan registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKLM\SYSTEM\ControlSet001\
Services\truecrypt
ImagePath = System32\drivers\truecrypt.sys

HKLM\SYSTEM\ControlSet001\
Services\truecrypt
DisplayName = truecrypt

NOTES:

This is a fake TrueCrypt application/program.