Virus:BDS/Frauder.bu
Date discovered:29/08/2008
Type:Backdoor Server
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Low to medium
Static file:No
File size:~203.776 Bytes
IVDF version:7.00.06.89 - Friday, August 29, 2008

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: Trojan.Blusod
   •  Mcafee: Downloader-ASH.gen.b trojan
   •  Kaspersky: Backdoor.Win32.Frauder.bu
   •  F-Secure: Backdoor.Win32.Frauder.bu
   •  Sophos: Mal/EncPk-EU
   •  Panda: Adware/RogueAntimalware2008
   •  Grisoft: Downloader.FraudLoad.N
   •  Eset: a variant of Win32/Kryptik.E trojan
   •  Bitdefender: Trojan.FakeAlert.ACR


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Drops malicious files
   • Registry modification


It displays the content of a created pictorial file:


 Files It copies itself to the following location:
   • %SYSDIR%\lphc1boj0e39c.exe



The following files are created:

%TEMPDIR%\.tt1.tmp.vbs Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: VBS/Agent.1002

%SYSDIR%\blphc1boj0e39c.scr Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: JOKE/BlueScreen.B

%SYSDIR%\phc1boj0e39c.bmp Further investigation pointed out that this file is malware, too. Detected as: TR/Fakealert.AAF




It tries to download a file:

– The location is the following:
   • http://stat.antivirusxp-2008.net/**********/common/16.gif
It is saved on the local hard drive under: C:\Documents and Settings\makrorechner\Local Settings\Temp\.tt4.tmp Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Furthermore it contains malicious code.

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "lphc1boj0e39c"="%SYSDIR%\lphc1boj0e39c.exe"



The following registry keys are added:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   • "NoDispBackgroundPage"=dword:00000001
   • "NoDispScrSavPage"=dword:00000001

– [HKLM\SOFTWARE\Microsoft\Software Notifier]
   • "InstallID"="858948ee-a000-4255-86f8-9e3baeb448b6"



The following registry keys are changed:

– [HKCU\Control Panel\Colors]
   New value:
   • "Background"="0 0 255"

– [HKCU\Control Panel\Desktop]
   New value:
   • "WallpaperStyle"="0"
     "TileWallpaper"="0"
     "Wallpaper"="%SYSDIR%\phc1boj0e39c.bmp"
     "OriginalWallpaper"="%SYSDIR%\phc1boj0e39c.bmp"
     "ConvertedWallpaper"="%SYSDIR%\phc1boj0e39c.bmp"
     "SCRNSAVE.EXE"="%SYSDIR%\blphc1boj0e39c.scr"
     "ScreenSaveActive"="1"
     "ScreenSaveTimeOut"="600"

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andreas Feuerstein on Friday, September 5, 2008
Description updated by Andreas Feuerstein on Friday, September 5, 2008

Back . . . .