Full description

Nume:	TR/Dldr.FraudLo.sxm
Descoperit pe data de:	13/07/2009
Tip:	Risc de securitate-confidentialitate
ITW:	Da
Numar infectii raportate:	Scazut
Potential de raspandire:	Scazut
Potential de distrugere:	Scazut
Fisier static:	Nu
Versiune VDF:	7.01.04.223

General Metoda de raspandire:
   • Nu are rutina proprie de raspandire

Alias:
   • Kaspersky: Trojan-Downloader.Win32.FraudLoad.wner
   • F-Secure: Trojan-Downloader.Win32.FraudLoad.wner
   • Eset: Win32/Kryptik.AAL

Sisteme de operare:
   • Windows XP

Efecte secundare:
   • Descarca fisiere malware
   • Modificari in registri

Imediat dupa lansarea in executie, pe ecran este afisat:

Fisiere Se copiaza in urmatoarea locatie:
   • %program files%\HomeAntivirus2010\Uninstall.exe

Sunt create fisierele:

– Fisiere inofensive:
   • %program files%\HomeAntivirus2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
   • %program files%\HomeAntivirus2010\Microsoft.VC80.CRT\msvcm80.dll
   • %program files%\HomeAntivirus2010\Microsoft.VC80.CRT\msvcp80.dll
   • %program files%\HomeAntivirus2010\Microsoft.VC80.CRT\msvcr80.dll
   • %program files%\HomeAntivirus2010\data\daily.cvd
   • %program files%\HomeAntivirus2010\pthreadVC2.dll
   • %program files%\HomeAntivirus2010\htmlayout.dll
   • %director ales aleator%\%cuvinte aleatoare%

– Fisiere temporare care pot fi sterse dupa aceea:
   • %tempdir%\prm%numar%
   • %tempdir%\wr%numar%
   • %tempdir%\clamav-%32 random hexa numbers%\daily.db
   • %tempdir%\clamav-%32 random hexa numbers%\daily.hdb
   • %tempdir%\clamav-%32 random hexa numbers%\daily.hdu
   • %tempdir%\clamav-%32 random hexa numbers%\daily.mdb
   • %tempdir%\clamav-%32 random hexa numbers%\daily.ndb
   • %tempdir%\clamav-%32 random hexa numbers%\daily.wdb
   • %tempdir%\clamav-%32 random hexa numbers%\daily.pdb
   • %tempdir%\clamav-%32 random hexa numbers%\daily.cfg
   • %tempdir%\clamav-%32 random hexa numbers%\daily.fp
   • %tempdir%\clamav-%32 random hexa numbers%\daily.zmd
   • %tempdir%\clamav-%32 random hexa numbers%\daily.mdu
   • %tempdir%\clamav-%32 random hexa numbers%\daily.ndu
   • %tempdir%\clamav-%32 random hexa numbers%\daily.info

– %program files%\HomeAntivirus2010\HomeAntivirus2010.exe Fisierul este executat dupa ce a fost creat. Detectat ca: TR/Dldr.FraudLo.sxm

– %program files%\HomeAntivirus2010\AVEngn.dll Detectat ca: TR/Dldr.FraudLo.sxm

– %program files%\HomeAntivirus2010\wscui.cpl Detectat ca: TR/Dldr.FraudLo.sxm

– %systemdir%\_scui.cpl Detectat ca: TR/Dldr.FraudLo.sxm

Incearca sa descarce cateva fisiere:

– Adresa este urmatoarea:
   • http://user:@bugermanosatora.com/files/ha21/Binaries1.cab
Fisierul este stocat pe hard disc la: %temporary internet files%

– Adresa este urmatoarea:
   • http://user:************@bugermanosatora.com/files/BinariesAVE.cab
Fisierul este stocat pe hard disc la: %temporary internet files%

– Adresa este urmatoarea:
   • http://user:************@bugermanosatora.com/files/BinariesAdd.cab
Fisierul este stocat pe hard disc la: %temporary internet files%

– Adresa este urmatoarea:
   • http://user:************@bugermanosatora.com/files/ha21/BinariesGUI.cab
Fisierul este stocat pe hard disc la: %temporary internet files%

– Adresa este urmatoarea:
   • http://user:************@bugermanosatora.com/files/BinariesSC.cab
Fisierul este stocat pe hard disc la: %temporary internet files%

– Adresa este urmatoarea:
   • http://user:************@bugermanosatora.com/files/BinariesUpd.cab
Fisierul este stocat pe hard disc la: %temporary internet files%

Registrii sistemului Urmatoarea cheie este adaugata in registri pentru a rula procesul la repornirea sistemului:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Home Antivirus 2010"="\"%PROGRAM FILES%\HomeAntivirus2010\HomeAntivirus2010.exe\" /hide"

Urmatoarele chei sunt adaugate in registrii sistemului:

– [HKCU\Control Panel\don't load]
   • "scui.cpl"="No"
   • "wscui.cpl"="No"

– [HKLM\SOFTWARE\HomeAntivirus2010]
   • "info"="%data curenta%"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
   HomeAntivirus2010]
   • "DisplayName"="Home Antivirus 2010"
   • "UninstallString"="%PROGRAM FILES%\HomeAntivirus2010\Uninstall.exe"

– [HKLM\SOFTWARE\Microsoft\Security Center]
   Vechea valoare:
   • "FirewallDisableNotify"=dword:00000000
   Noua valoare:
   • "FirewallDisableNotify"=dword:00000001

– [HKLM\SOFTWARE\Microsoft\Security Center]
   Vechea valoare:
   • "UpdatesDisableNotify"=dword:00000000
   Noua valoare:
   • "UpdatesDisableNotify"=dword:00000001

– [HKLM\SOFTWARE\Microsoft\Security Center]
   Vechea valoare:
   • "AntiVirusDisableNotify"=dword:00000000
   Noua valoare:
   • "AntiVirusDisableNotify"=dword:00000001

Description inserted by Mihai Dilimot on Monday, August 10, 2009
Description updated by Mihai Dilimot on Tuesday, August 11, 2009

Back . . . .

Featured PC protection

Free products

Most popular

All products

Bundled Solutions

Workstation

Server

Bundled Solutions

Mail Gateways

Web Gateways

Collaboration Platforms

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools