Analysis by: JasperM
 PLATFORM:

Windows 2000, XP, Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

This Trojanl uses social engineering methods to lure users into performing certain actions that may, directly or indirectly, cause malicious routines to be performed. Specifically, it uses Trend Micro to lure users that the package came from a real antivirus company.

To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.

This Trojan saves downloaded files into the said created folder.

  TECHNICAL DETAILS

File Size: 86,016 bytes
File Type: PE
Memory Resident: No
Initial Samples Received Date: 03 Sep 2010

Installation

This Trojan creates the following folders:

  • {Trend Micro directory}\OfficeScan\PCCSRV\Download
  • {Trend Micro directory}\OfficeScan\PCCSRV\Download\Engine
  • {Trend Micro directory}\OfficeScan\PCCSRV\Pccnt\Drv
  • {Trend Micro directory}\OfficeScan\PCCSRV\Pccnt\Disk1

Download Routine

This Trojan saves downloaded files into the said created folder.

Other Details

This Trojan does the following:

  • It copies several .ini and .sys files from various folders to the created folders.
  • It extracts the contents of tmengNT.zip and renames all .sys files to .bin.
  • It may add certain files specified by the malicious user.
  • It then compresses files and replaces the original Office Scan engine files.
  • It replaces the original vsapint.sys with a file detected as TROJ_FAKETM.A.

  SOLUTION

Minimum Scan Engine: 8.900
VSAPI OPR PATTERN File: 7.442.02
VSAPI OPR PATTERN Date: 07 Sep 2010

Step 1

Download and apply this security patch Refrain from using these products until the appropriate patches have been installed. Trend Micro advises users to download critical patches upon release by vendors.  

  • Users of OSCE 10, download the patch here
  • Users of OSCE 8, download the patch here

Step 2

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 3

Remove malware files dropped/downloaded by TROJ_FAKETM.C

    •  TROJ_FAKETM.A

Step 4

Scan your computer with your Trend Micro product to delete files detected as TROJ_FAKETM.C. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.