Virus:TR/FakeAV.LBG.1
Date discovered:08/07/2010
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Low to medium
Static file:Yes
File size:1.595.392 Bytes
MD5 checksum:7789abbeda92bcfba31e85f897b00F13
IVDF version:7.10.09.45 - Thursday, July 8, 2010

 General Method of propagation:
   • No own spreading routine


Alias:
   •  Eset: Win32/Adware.DesktopDefender2010.AG


Platforms / OS:
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files
   • Registry modification
Can be used by rogue users or malware to lower security settings.
Falsley reports malware infection or system problems and offers to fix them if the user buys the application.


Right after execution the following information is displayed:



 Files  It deletes the following file:
   • %TEMPDIR%\qas1.tmp



The following files are created:

%TEMPDIR%\02c9c3c35bdx5.exe
%TEMPDIR%\17dkf.exe
%TEMPDIR%\1iowieoo.exe
%TEMPDIR%\2010yo.exe
%TEMPDIR%\472a10e2ebxd9.exe
%TEMPDIR%\56493.exe
%TEMPDIR%\8gmsed-bd.exe
%TEMPDIR%\a75wef8e0e7.exe
%TEMPDIR%\ae0965a7157cd.exe
%TEMPDIR%\al3erfa3.exe
%TEMPDIR%\aler3fa.exe
%TEMPDIR%\alerfa.exe
%TEMPDIR%\alerfa2.exe
%TEMPDIR%\alerfa322.exe
%TEMPDIR%\aqfitrlxi2.exe
%TEMPDIR%\backd-efq.exe
%TEMPDIR%\brdss.exe
%TEMPDIR%\bzqa43d.exe
%TEMPDIR%\cffd4.exe
%TEMPDIR%\cocksucker.exe
%TEMPDIR%\cosock.exe
%TEMPDIR%\cunifuc.exe
%TEMPDIR%\dc_3.exe
%TEMPDIR%\dd10x10.exe
%TEMPDIR%\ddhelp.exe
%TEMPDIR%\ddoll3342.exe
%TEMPDIR%\destroyer.exe
%TEMPDIR%\dffuck.exe
%TEMPDIR%\dkfjd93.exe
%TEMPDIR%\ds7hw.exe
%TEMPDIR%\dwl_bqz.exe
%TEMPDIR%\eelnvd13.exe
%TEMPDIR%\eephilpe.exe
%TEMPDIR%\exppdf_w.exe
%TEMPDIR%\fadz43.exe
%TEMPDIR%\fe.exe
%TEMPDIR%\format.exe
%TEMPDIR%\gedx_ae09.exe
%TEMPDIR%\gpdfsws_bbg.exe
%TEMPDIR%\gpupz2a.exe
%TEMPDIR%\hardwh.exe
%TEMPDIR%\hhbboll_2.exe
%TEMPDIR%\hiphop.exe
%TEMPDIR%\hjkgfddd.exe
%TEMPDIR%\hodeme.exe
%TEMPDIR%\htfad4.exe
%TEMPDIR%\hvipws9.exe
%TEMPDIR%\jdhellwo3.exe
%TEMPDIR%\jkfuckfu.exe
%TEMPDIR%\jofcdks.exe
%TEMPDIR%\kgn.exe
%TEMPDIR%\kilslmd.exex
%TEMPDIR%\kjdh_gf_jjdhgd.exe
%TEMPDIR%\kjh102k3.exe
%TEMPDIR%\kn.a.exe
%TEMPDIR%\kock.exe
%TEMPDIR%\ljts-23.exe
%TEMPDIR%\lkhgg_ea.exe
%TEMPDIR%\lols.exe
%TEMPDIR%\lorsk.exe
%TEMPDIR%\ploper.exe
%TEMPDIR%\poertd.exe
%TEMPDIR%\ppddfcfux.exxe
%TEMPDIR%\pswwg3c.exe
%TEMPDIR%\puzpup.exe
%TEMPDIR%\qwedvor.exe
%TEMPDIR%\qwklrvjhqlkj.exe
%TEMPDIR%\r0life.exe
%TEMPDIR%\rator.exe
%TEMPDIR%\rsrtd12.exe
%TEMPDIR%\rtfme.exe
%TEMPDIR%\safe.exe
%TEMPDIR%\snowif.exe
%TEMPDIR%\sycre.exe
%TEMPDIR%\test.exe
%TEMPDIR%\timem.exe
%TEMPDIR%\w32-reno-c.exe
%TEMPDIR%\warsddd_w.exe
%TEMPDIR%\wefgetn_00.exe
%TEMPDIR%\wergfq.exe
%TEMPDIR%\winlogoff.exe
%TEMPDIR%\wqefqw7e.exe
%TEMPDIR%\wrcud12.exe
%TEMPDIR%\wrfwe_di.exe
%TEMPDIR%\wwwsssgen.exe

 Registry One of the following values is added in order to run the process after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Desktop Security 2010"="%malware execution directory%\%executed file%"



The following registry keys are added:

– [HKCU\Software\Desktop Security 2010]
   • "LastTimeStamp"=dword:00000061
   • "LastUpdateDate"="2010/6/17"
   • "DaysInterval"=dword:00000007
   • "BackgroundScanTimeout"=dword:00000001
   • "ScanSystemOnStartup"=dword:00000001
   • "AutomaticallyUpdates"=dword:00000001
   • "MinimizeOnStart"=dword:00000000
   • "BackgroundScan"=dword:00000001
   • "UnsecureStartup"=dword:00000000
   • "SoundEnabled"=dword:00000001
   • "ScanDepth"=dword:0000005e

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   User Agent\Post Platform]
   • "_reg"=
   • "(Default)"="????)IC?D?D"
   • ?

Description inserted by Patrick Schoenherr on Thursday, July 8, 2010
Description updated by Patrick Schoenherr on Thursday, July 8, 2010

Back . . . .