Virus:TR/Fakealert.RJ
Date discovered:28/04/2010
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
Static file:
File size:141.824 Bytes
MD5 checksum:42f99097bb42ebb715507754899bb03e
IVDF version:7.10.06.230 - Wednesday, April 28, 2010

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: Adware.CWSIEFeats
   •  Kaspersky: Trojan.Win32.FakeAV.mf
   •  F-Secure: Trojan.FakeAV.KYL
   •  Panda: Trj/Downloader.WBX
   •  VirusBuster: Trojan.FakeAV.WS
   •  Eset: Win32/TrojanDownloader.FakeAlert.AWD
   •  Bitdefender: Trojan.FakeAV.KYL


Side effects:
   • Drops a file
   • Registry modification

 Files It copies itself to the following locations:
   • %PROGRAM FILES%\WinPcap\rpcapdrpcapd.exe
   • %PROGRAM FILES%\Common Files\Microsoft Shared\DW\1028\ErrorDWIntl20.exe
   • %PROGRAM FILES%\Windows NT\Accessories\WindowsOperating.exe
   • %PROGRAM FILES%\NetMeeting\nmash323.exe
   • %PROGRAM FILES%\ProcessGuard\help\DiamondCSWebsite.exe
   • %PROGRAM FILES%\Common Files\Microsoft Shared\DW\2052\ErrorApplication11.0.5510.exe



It deletes the following file:
   • %TEMPDIR%\a1.tmp



The following files are created:

%TEMPDIR%\a1.tmp
%temporary internet files%\Content.IE5\I1EFMT07\windowsupdate.microsoft[1].htm

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "tr"="c:\\xxx\\tr.exe"
   • "ReportingMicrosoft11.0.5510"="%PROGRAM FILES%\\common files\\microsoft shared\\dw\\1028\\errordwintl20.exe"
   • "Windowswordpad"="%PROGRAM FILES%\\windows nt\\accessories\\windowsoperating.exe"
   • "WinPcaprpcapd4.0.0.755"="%PROGRAM FILES%\\winpcap\\rpcapdrpcapd.exe"
   • "nmchatnmft"="%PROGRAM FILES%\\netmeeting\\nmash323.exe"
   • "DiamondCSWebsite23965"="%PROGRAM FILES%\\processguard\\help\\diamondcswebsite.exe"
   •

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "tr"="c:\\xxx\\tr.exe"
   • "ReportingReporting"="%PROGRAM FILES%\\common files\\microsoft shared\\dw\\2052\\errorapplication11.0.5510.exe"



The following registry key is added:

– [HKLM\SOFTWARE\Microsoft\MediaPlayer\Setup\Files]
   • "1"=hex:59,7a,70,63,63,48,4a,76,5a,33,4a,68,62,53,42,6d,61,57,78,6c,63,31,78,\
   • 6a,62,32,31,74,62,32,34,67,5a,6d,6c,73,5a,58,4e,63,62,57,6c,6a,63,6d,39,7a,\
   • 62,32,5a,30,49,48,4e,6f,59,58,4a,6c,5a,46,78,6b,64,31,77,78,4d,44,49,34,58,\
   • 47,56,79,63,6d,39,79,5a,48,64,70,62,6e,52,73,4d,6a,41,75,5a,58,68,6c
   • "2"=hex:59,7a,70,63,63,48,4a,76,5a,33,4a,68,62,53,42,6d,61,57,78,6c,63,31,78,\
   • 6a,62,32,31,74,62,32,34,67,5a,6d,6c,73,5a,58,4e,63,62,57,6c,6a,63,6d,39,7a,\
   • 62,32,5a,30,49,48,4e,6f,59,58,4a,6c,5a,46,78,6b,64,31,77,79,4d,44,55,79,58,\
   • 47,56,79,63,6d,39,79,59,58,42,77,62,47,6c,6a,59,58,52,70,62,32,34,78,4d,53,\
   • 34,77,4c,6a,55,31,4d,54,41,75,5a,58,68,6c
   • "3"=hex:59,7a,70,63,63,48,4a,76,5a,33,4a,68,62,53,42,6d,61,57,78,6c,63,31,78,\
   • 75,5a,58,52,74,5a,57,56,30,61,57,35,6e,58,47,35,74,59,58,4e,6f,4d,7a,49,7a,\
   • 4c,6d,56,34,5a,51,3d,3d
   • "4"=hex:59,7a,70,63,63,48,4a,76,5a,33,4a,68,62,53,42,6d,61,57,78,6c,63,31,78,\
   • 77,63,6d,39,6a,5a,58,4e,7a,5a,33,56,68,63,6d,52,63,61,47,56,73,63,46,78,6b,\
   • 61,57,46,74,62,32,35,6b,59,33,4e,33,5a,57,4a,7a,61,58,52,6c,4c,6d,56,34,5a,\
   • 51,3d,3d
   • "5"=hex:59,7a,70,63,63,48,4a,76,5a,33,4a,68,62,53,42,6d,61,57,78,6c,63,31,78,\
   • 33,61,57,35,6b,62,33,64,7a,49,47,35,30,58,47,46,6a,59,32,56,7a,63,32,39,79,\
   • 61,57,56,7a,58,48,64,70,62,6d,52,76,64,33,4e,76,63,47,56,79,59,58,52,70,62,\
   • 6d,63,75,5a,58,68,6c
   • "6"=hex:59,7a,70,63,63,48,4a,76,5a,33,4a,68,62,53,42,6d,61,57,78,6c,63,31,78,\
   • 33,61,57,35,77,59,32,46,77,58,48,4a,77,59,32,46,77,5a,48,4a,77,59,32,46,77,\
   • 5a,43,35,6c,65,47,55,3d
   • "7"=hex:59,7a,70,63,65,48,68,34,58,48,52,79,4c,6d,56,34,5a,51,3d,3d
   •
   •

Description inserted by Patrick Schoenherr on Tuesday, July 6, 2010
Description updated by Patrick Schoenherr on Tuesday, July 6, 2010

Back . . . .