Virus:TR/FraudPack.azgx
Date discovered:11/07/2010
Type:Trojan
In the wild:Yes
Reported Infections:Medium to high
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:293.632 Bytes
MD5 checksum:22238109881991c13518bf79d3f0bf71
IVDF version:7.10.09.57 - Sunday, July 11, 2010

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: SpywareGuard2008
   •  Mcafee: FakeAlert-SpyPro.gen.p
   •  Kaspersky: Trojan.Win32.FraudPack.azgx
   •  TrendMicro: TROJ_FAKEAV.SMES
   •  F-Secure: Trojan.Generic.KD.19444
   •  Sophos: Mal/FakeAV-DO
   •  Bitdefender: Trojan.Generic.KD.19444
   •  Panda: Trj/CI.A


Platforms / OS:
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Blocks access to certain websites
   • Blocks access to security websites
   • Lowers security settings
   • Falsley reports malware infection or system problems and offers to fix them if the user buys the application.
   • Registry modification
   • Redirects to an infected website


Right after execution the following information is displayed:


 Files It copies itself to the following locations:
   • %HOME%\Local Settings\Application Data\%randomly chosen directory%
   • \%random character string%.exe

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "%random character string%"="%HOME%\Local Settings\Application Data\%randomly chosen directory%\%random character string%.exe"

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • "%random character string%"="%HOME%\Local Settings\Application Data\%randomly chosen directory%\%random character string%.exe"



The following registry keys are added:

– [HKCU\Software\AVSS]
   • "knkd"=dword:00000001
   • "aazalirt"=dword:00000001
   • "skaaanret"=dword:00000001
   • "jungertab"=dword:00000001
   • "zibaglertz"=dword:00000001
   • "iddqdops"=dword:00000001
   • "ronitfst"=dword:00000001
   • "tobmygers"=dword:00000001
   • "jikglond"=dword:00000001
   • "tobykke"=dword:00000001
   • "klopnidret"=dword:00000001
   • "jiklagka"=dword:00000001
   • "salrtybek"=dword:00000001
   • "seeukluba"=dword:00000001
   • "jrjakdsd"=dword:00000001
   • "krkdkdkee"=dword:00000001
   • "dkewiizkjdks"=dword:00000001
   • "dkekkrkska"=dword:00000001
   • "rkaskssd"=dword:00000001
   • "kuruhccdsdd"=dword:00000001
   • "krujmmwlrra"=dword:00000001
   • "kkwknrbsggeg"=dword:00000001
   • "ktknamwerr"=dword:00000001
   • "iqmcnoeqz"=dword:00000001
   • "ienotas"=dword:00000001
   • "krkmahejdk"=dword:00000001
   • "otpeppggq"=dword:00000001
   • "krtawefg"=dword:00000001
   • "oranerkka"=dword:00000001
   • "kitiiwhaas"=dword:00000001
   • "otowjdseww"=dword:00000001
   • "otnnbektre"=dword:00000001
   • "oropbbsee"=dword:00000001
   • "irprokwks"=dword:00000001
   • "ooorjaas"=dword:00000001
   • "id"="70.10"

– [HKCU\Software\AVSuitE]
– [HKLM\Software\AVSuitE]
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\
   Attachments]
   • "SaveZoneInformation"=dword:00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\
   Associations]
   • "LowRiskFileTypes"=".exe"

– [HKLM\Software\AVSS]


The following registry keys are changed:

Lower security settings from Internet Explorer:

– [HKCU\Software\Microsoft\Internet Explorer\Download]
   New value:
   • "CheckExeSignatures"="no"
   • "RunInvalidSignatures"=dword:00000001

– [HKCU\Software\Microsoft\Internet Explorer\PhishingFilter]
   New value:
   • "EnabledV8"=dword:00000000
   • "Enabled"=dword:00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
   Old value:
   • "ProxyEnable"=dword:00000000
   New value:
   • "ProxyEnable"=dword:00000001
   • "ProxyServer"="http=127.0.0.1:5577"
   • "ProxyOverride"=""

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Patrick Schoenherr on Tuesday, July 13, 2010
Description updated by Patrick Schoenherr on Thursday, July 15, 2010

Back . . . .