Vollständige Virenbeschreibung

Nume:	TR/FakeAV.fmi
Descoperit pe data de:	30/07/2010
Tip:	Troian
ITW:	Da
Numar infectii raportate:	Scazut
Potential de raspandire:	Scazut spre mediu
Potential de distrugere:	Scazut spre mediu
Fisier static:	Da
Marime:	2.752.512 Bytes
MD5:	99e2e3c8c2aeb5fe8a572d5a0B45571f
Versiune IVDF:	7.10.09.88 - Mittwoch, 14. Juli 2010

General Metoda de raspandire:
   • Nu are rutina proprie de raspandire

Alias:
   • Symantec: Trojan.FakeAV!gen32
   • Kaspersky: Packed.Win32.Katusha.o
   • Sophos: Mal/FakeAV-BW
   • Microsoft: Trojan:Win32/FakeVimes
   • Panda: Adware/SecurityMasterAV
   • PCTools: Trojan.FakeAV
   • Eset: Win32/Kryptik.FMZ
   • AhnLab: Win-Trojan/Fakeav.2752512

Sistem de operare:
   • Windows 98
   • Windows 98 SE
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7
   • Creeaza fisiere
   • Creeaza fisiere malware

Imediat dupa lansarea in executie, pe ecran este afisat:

Fisiere Se copiaza in urmatoarele locatii:
   • c:\%directorul curent%\SecurityMasterAV.bin
   • %ALLUSERSPROFILE%\Application Data\%director ales aleator%\%combinatie de caractere aleatoare%.exe

Modifica urmatorul fisier:
   • %WINDIR%\systems32\drivers\etc\hosts

Sterge copia initiala a virusului.

Sunt create fisierele:

– %HOME%\Recent\%combinatie de caractere aleatoare%.dll
– %HOME%\Recent\%combinatie de caractere aleatoare%.drv
– %HOME%\Recent\%combinatie de caractere aleatoare%.tmp
– %ALLUSERSPROFILE%\Application Data\%director ales aleator%\SMAV.ico
– %APPDATA%\Security Master AV\Instructions.ini
– %APPDATA%\Security Master AV\winupdate.exe
– C:\%directorul curent%\%combinatie de caractere aleatoare%.mof
– C:\%directorul curent%\SMAVSys\%combinatie de caractere aleatoare%.bd
– %ALLUSERSPROFILE%\Application Data\%director ales aleator%\%combinatie de caractere aleatoare%.cfg

Registrii sistemului Una din urmatoarele valori este adaugata in registri pentru pornirea automata a procesului dupa reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Security Master AV"="\"%ALLUSERSPROFILE%\Application Data\%director ales aleator%\%combinatie de caractere aleatoare%.exe\" /s /d"

Urmatoarele chei sunt adaugate in registrii sistemului:

– [HKCU\Software\Microsoft\Internet Explorer]
   • "IIL"=dword:00000000
   • "ltHI"=dword:00000000
   • "ltTST"=dword:00008e02

– [HKCU\Software\Microsoft\Internet Explorer\BrowserEmulation]
   • "MSCompatibilityMode"=dword:00000000

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options]
   • "Debugger"="svchost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\a.exe]
   • "Debugger"="svchost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\aAvgApi.exe]
   • "Debugger"="svchost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AAWTray.exe]
   • "Debugger"="svchost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\adaware.exe]
   • "Debugger"="svchost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avmailc.exe]
   • "Debugger"="svchost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\belt.exe]
   • "Debugger"="svchost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\cfinet.exe]
   • "Debugger"="svchost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\dcomx.exe]
   • "Debugger"="svchost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ent.exe]
   • "Debugger"="svchost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\fch32.exe]
   • "Debugger"="svchost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\fullsoft.dll]
   • "Debugger"="svchost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\hbinst.exe]
   • "Debugger"="svchost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\htmlmm.ocx]
   • "Debugger"="svchost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\icmon.exe]
   • "Debugger"="svchost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\keenvalue.exe]
   • "Debugger"="svchost.exe"

– [HKCU\Software\3]
– [HKCR\SecurityMasterAV.DocHostUIHandler\Clsid]
   • @="{3F2BBC05-40DF-11D2-9455-00104BC936FF}"

– [HKCR\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}]
   • @="Implements DocHostUIHandler"

– [HKCR\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32]
   • @="c:\\xxx\\SecurityMasterAV.exe"

– [HKCR\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID]
   • @="SecurityMasterAV.DocHostUIHandler"

– [HKCR\SecurityMasterAV.DocHostUIHandler]
   • @="Implements DocHostUIHandler"

– [HKCU\Software\Microsoft\Internet Explorer\SearchScopes]
   • "URL"="http://findgala.com/?&uid=2129&q={searchTerms}"

Urmatoarele chei din registri sunt modificate:

– [HKCU\Software\Microsoft\Internet Explorer\Download]
   Vechea valoare:
   • "CheckExeSignatures"="yes"
   • "RunInvalidSignatures"=dword:00000000
   Noua valoare:
   • "CheckExeSignatures"="no"
   • "RunInvalidSignatures"=dword:00000001

Fisiere host Fisierul

– In acest caz inregistrarile existente raman nemodificate.

– Accesul la urmatoarele domenii este redirectionat catre alte destinatii:
   • 74.125.45.100 4-open-davinci.com
   • 74.125.45.100 securitysoftwarepayments.com
   • 74.125.45.100 privatesecuredpayments.com
   • 74.125.45.100 secure.privatesecuredpayments.com
   • 74.125.45.100 getantivirusplusnow.com
   • 74.125.45.100 secure-plus-payments.com
   • 74.125.45.100 www.getantivirusplusnow.com
   • 74.125.45.100 www.secure-plus-payments.com
   • 74.125.45.100 www.getavplusnow.com
   • 74.125.45.100 safebrowsing-cache.google.com
   • 74.125.45.100 urs.microsoft.com
   • 74.125.45.100 www.securesoftwarebill.com
   • 74.125.45.100 secure.paysecuresystem.com
   • 74.125.45.100 paysoftbillsolution.com
   • 74.125.45.100 protected.maxisoftwaremart.com

Detaliile fisierului Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit un program de compresie runtime.

Die Beschreibung wurde erstellt von Carlos Valero Llabata am Freitag, 6. August 2010
Die Beschreibung wurde geändert von Carlos Valero Llabata am Freitag, 6. August 2010

zurück . . . .

PC Schutz

Gratis-Produkte

Beliebteste Produkte

Alle Produkte

Bundle-Lösungen

Arbeitsplatzrechner

Server

Bundle-Lösungen

Mail Gateways

Web Gateways

Kollaborationsplattformen

Für Privatanwender

Für Unternehmen

Virenlabor

Mehr Support

Avira Partner werden

Für Privatanwender

Für Unternehmen

Sie möchten das Produkt nur testen?

Handbücher und Tools