Virus:TR/Dldr.FakeAV.AV
Date discovered:21/07/2010
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:15.872 Bytes
MD5 checksum:68c601d188463f761e8ca174a5117e40
IVDF version:7.10.09.146 - Wednesday, July 21, 2010

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  F-Secure: Trojan:W32/Alureon.AV
   •  Sophos: Troj/FakeAV-BND
   •  Panda: Adware/DefenseCenter
   •  Eset: Win32/Kryptik.DUK
   •  AhnLab: Trojan/Win32.FakeAV
   •  Authentium: W32/Trojan3.BWF
   •  DrWeb: Trojan.DownLoad1.58681
   •  Ikarus: Win32.Outbreak
   •  Rising: Packer.Win32.Agent.bk


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Downloads a malicious file
   • Drops a file
   • Registry modification

 Files It deletes the initially executed copy of itself.



The following file is created:

– %ALLUSERSPROFILE%\Favorites\_favdata.dat Furthermore it gets executed after it was fully created. This is a non malicious text file that contains information about the program itself.



It tries to download a file:

– The location is the following:
   • http://se**********eok
It is saved on the local hard drive under: %TEMPDIR%\%random character string%.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Dropper.Gen

 Registry The following registry key is changed:

– [HKCU\Printers\Connections]
   New value:
   • affid="396"
   • subid="landing"

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Carlos Valero Llabata on Wednesday, July 21, 2010
Description updated by Carlos Valero Llabata on Wednesday, July 21, 2010

Back . . . .