Virus:TR/Dldr.FraudLo.sxm
Date discovered:13/07/2009
Type:Security Privacy Risk
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
Static file:No
VDF version:7.01.04.223

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-Downloader.Win32.FraudLoad.wner
   •  F-Secure: Trojan-Downloader.Win32.FraudLoad.wner
   •  Eset: Win32/Kryptik.AAL


Platform / OS:
   • Windows XP


Side effects:
   • Downloads malicious files
   • Registry modification


Right after execution the following information is displayed:




 Files It copies itself to the following location:
   • %program files%\HomeAntivirus2010\Uninstall.exe



The following files are created:

– Non malicious files:
   • %program files%\HomeAntivirus2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
   • %program files%\HomeAntivirus2010\Microsoft.VC80.CRT\msvcm80.dll
   • %program files%\HomeAntivirus2010\Microsoft.VC80.CRT\msvcp80.dll
   • %program files%\HomeAntivirus2010\Microsoft.VC80.CRT\msvcr80.dll
   • %program files%\HomeAntivirus2010\data\daily.cvd
   • %program files%\HomeAntivirus2010\pthreadVC2.dll
   • %program files%\HomeAntivirus2010\htmlayout.dll
   • %randomly chosen directory%\%random words%

– Temporary files that might be deleted afterwards:
   • %tempdir%\prm%number%
   • %tempdir%\wr%number%
   • %tempdir%\clamav-%32 random hexa numbers%\daily.db
   • %tempdir%\clamav-%32 random hexa numbers%\daily.hdb
   • %tempdir%\clamav-%32 random hexa numbers%\daily.hdu
   • %tempdir%\clamav-%32 random hexa numbers%\daily.mdb
   • %tempdir%\clamav-%32 random hexa numbers%\daily.ndb
   • %tempdir%\clamav-%32 random hexa numbers%\daily.wdb
   • %tempdir%\clamav-%32 random hexa numbers%\daily.pdb
   • %tempdir%\clamav-%32 random hexa numbers%\daily.cfg
   • %tempdir%\clamav-%32 random hexa numbers%\daily.fp
   • %tempdir%\clamav-%32 random hexa numbers%\daily.zmd
   • %tempdir%\clamav-%32 random hexa numbers%\daily.mdu
   • %tempdir%\clamav-%32 random hexa numbers%\daily.ndu
   • %tempdir%\clamav-%32 random hexa numbers%\daily.info

– %program files%\HomeAntivirus2010\HomeAntivirus2010.exe Furthermore it gets executed after it was fully created. Detected as: TR/Dldr.FraudLo.sxm

– %program files%\HomeAntivirus2010\AVEngn.dll Detected as: TR/Dldr.FraudLo.sxm

– %program files%\HomeAntivirus2010\wscui.cpl Detected as: TR/Dldr.FraudLo.sxm

– %systemdir%\_scui.cpl Detected as: TR/Dldr.FraudLo.sxm




It tries to download some files:

– The location is the following:
   • http://user:@bugermanosatora.com/files/ha21/Binaries1.cab
It is saved on the local hard drive under: %temporary internet files%

– The location is the following:
   • http://user:************@bugermanosatora.com/files/BinariesAVE.cab
It is saved on the local hard drive under: %temporary internet files%

– The location is the following:
   • http://user:************@bugermanosatora.com/files/BinariesAdd.cab
It is saved on the local hard drive under: %temporary internet files%

– The location is the following:
   • http://user:************@bugermanosatora.com/files/ha21/BinariesGUI.cab
It is saved on the local hard drive under: %temporary internet files%

– The location is the following:
   • http://user:************@bugermanosatora.com/files/BinariesSC.cab
It is saved on the local hard drive under: %temporary internet files%

– The location is the following:
   • http://user:************@bugermanosatora.com/files/BinariesUpd.cab
It is saved on the local hard drive under: %temporary internet files%

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Home Antivirus 2010"="\"%PROGRAM FILES%\HomeAntivirus2010\HomeAntivirus2010.exe\" /hide"



The following registry keys are added:

– [HKCU\Control Panel\don't load]
   • "scui.cpl"="No"
   • "wscui.cpl"="No"

– [HKLM\SOFTWARE\HomeAntivirus2010]
   • "info"="%current date%"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
   HomeAntivirus2010]
   • "DisplayName"="Home Antivirus 2010"
   • "UninstallString"="%PROGRAM FILES%\HomeAntivirus2010\Uninstall.exe"

– [HKLM\SOFTWARE\Microsoft\Security Center]
   Old value:
   • "FirewallDisableNotify"=dword:00000000
   New value:
   • "FirewallDisableNotify"=dword:00000001

– [HKLM\SOFTWARE\Microsoft\Security Center]
   Old value:
   • "UpdatesDisableNotify"=dword:00000000
   New value:
   • "UpdatesDisableNotify"=dword:00000001

– [HKLM\SOFTWARE\Microsoft\Security Center]
   Old value:
   • "AntiVirusDisableNotify"=dword:00000000
   New value:
   • "AntiVirusDisableNotify"=dword:00000001

Description inserted by Mihai Dilimot on Monday, August 10, 2009
Description updated by Mihai Dilimot on Tuesday, August 11, 2009

Back . . . .