TROJ_FAKETC.A
W32/FakeTC.A!tr (Fortinet); Trojan.FakeTC (Symantec)
Windows
![](/vinfo/imgFiles/legend.jpg)
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be manually installed by a user.
TECHNICAL DETAILS
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It may be manually installed by a user.
Installation
This Trojan drops the following files:
- %Program Files%\TrueCrypt\TrueCrypt User Guide.pdf
- %Program Files%\TrueCrypt\License.txt
- %Program Files%\TrueCrypt\TrueCrypt.exe
- %Program Files%\TrueCrypt\TrueCrypt Format.exe
- %Program Files%\TrueCrypt\truecrypt.sys
- %Program Files%\TrueCrypt\truecrypt-x64.sys
- %Program Files%\TrueCrypt\TrueCrypt Setup.exe
- %System%\drivers\truecrypt.sys;
(Note: %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)
It creates the following folders:
- %Program Files%\TrueCrypt
(Note: %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)
Autostart Technique
This Trojan registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:
HKLM\SYSTEM\ControlSet001\
Services\truecrypt
ImagePath = System32\drivers\truecrypt.sys
HKLM\SYSTEM\ControlSet001\
Services\truecrypt
DisplayName = truecrypt
NOTES:
This is a fake TrueCrypt application/program.