Virus:TR/Dldr.FraudLoa.EF
Date discovered:12/12/2008
Type:Trojan
Subtype:Downloader
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:135.168 Bytes
MD5 checksum:dfe9f891d747ea09df8496285378e18e
IVDF version:7.01.00.225 - Friday, December 12, 2008

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: Antivirus2009
   •  Kaspersky: Trojan-Downloader.Win32.FraudLoad.vecg
   •  F-Secure: Trojan-Downloader.Win32.FraudLoad.vecg
   •  Sophos: Mal/FakeAV-I
   •  Panda: Adware/Xpantivirus2008
   •  Grisoft: FakeAlert.DR


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Registry modification


Right after execution the following information is displayed:


 Files The following file is created:

%malware execution directory%\$$$$$$$$.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.



It tries to download a file:

– The location is the following:
   • http://securedupdatedownloads.com/**********/av_2009glof.exe
It is saved on the local hard drive under: %PROGRAM FILES%\Antivirus 2009\av2009.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Fakealert.MT

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "%several random numbers from 0 to 9%"="C:\Program Files\\Antivirus 2009\\av2009.exe"

 File details Programming language:
 The malware program was written in Delphi.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Thomas Wegele on Thursday, December 18, 2008
Description updated by Thomas Wegele on Thursday, December 18, 2008

Back . . . .