Virus:TR/FakeScanner.ziu
Date discovered:12/11/2008
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:899.024 Bytes
MD5 checksum:958feedf34cba174a85f4f58bb65955a
VDF version:7.01.00.70
IVDF version:7.01.00.77 - Thursday, November 13, 2008

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Eset: Win32/Genetik
   •  Bitdefender: Trojan.Generic.969530


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a file
   • Registry modification


Right after execution the following information is displayed:


 Files It copies itself to the following location:
   • %PROGRAM FILES%\PCPrivacyCleaner\pcpc.exe



It creates the following directory:
   • %PROGRAM FILES%\PCPrivacyCleaner



The following files are created:

%malware execution directory%\PCPrivacyCleaner.lnk
– %ALLUSERSPROFILE%\Start Menu\Programs\PCPrivacyCleaner\PCPrivacyCleaner.lnk
– %ALLUSERSPROFILE%\Start Menu\Programs\PCPrivacyCleaner\Uninstall PCPrivacyCleaner.lnk
%home%\Application Data\Microsoft\Internet Explorer\Quick Launch\PCPrivacyCleaner.lnk
%home%\Application Data\PCPrivacyCleaner\Logs\scns.txt



It tries to download a file:

– The location is the following:
   • http://www.instlog.pcprivacycleaner.com/**********
This file may contain further download locations and might serve as source for new threats.

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • PCPrivacyCleaner="%PROGRAM FILES%\PCPrivacyCleaner\pcpc.exe"



The following registry keys are added:

– [HKLM\SOFTWARE\PCPrivacyCleaner]
   • "LicenseAccepted"=hex:01
   • "InstallDate"=%hex values%
   • "ActivationCode"=%hex values%
   • "Version"=%hex values%
   • "LastScanTime"=%hex values%
   • "TotalScanCount"=%hex values%

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\
   PCPrivacyCleaner]
   • DisplayName="PCPrivacyCleaner"
   • UninstallString=""%PROGRAM FILES%\PCPrivacyCleaner\pcpc.exe" -uninstall"
   • NoModify=dword:00000001

– [HKLM\Software\{65DE966D-11D1-4bb1-BF7E-B8A273514DAF}]
   • Version=hex:33,50,5f,55,50,43,50,43,53,45

 Miscellaneous Mutex:
It creates the following Mutex:
   • PCPrivacyCleaner%hex values%-%hex values%-%hex values%-%hex values%-%hex values%

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • AS Pack

Description inserted by Monica Ghitun on Tuesday, December 16, 2008
Description updated by Monica Ghitun on Tuesday, December 16, 2008

Back . . . .