Virus:TR/FakeAV.LBQ
Date discovered:19/07/2010
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:45.568 Bytes
MD5 checksum:d7c2473852f25cc0a06094d9e9130Fac
IVDF version:7.10.09.110 - Monday, July 19, 2010

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Backdoor.Win32.TDSS.ur
   •  F-Secure: Trojan.FakeAV.LBQ
   •  Sophos: Mal/TDSSPk-AD
   •  Bitdefender: Trojan.FakeAV.LBQ
   •  Microsoft: Trojan:Win32/Meredrop
   •  AVG: Agent2.AZMO
   •  VirusBuster: Trojan.Meredrop.ABKU
   •  Eset: Win32/Olmarik.ABS
   •  Sunbelt: Trojan.Win32.Meredrop
   •  GData: Trojan.FakeAV.LBQ
   •  AhnLab: Backdoor/Win32.TDSS
   •  DrWeb: Trojan.PWS.IpDiscover.17
   •  Ikarus: Trojan.Win32.Meredrop


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Drops malicious files
   • Registry modification
   • Redirects to an infected website

 Files It copies itself to the following location:
   • %APPDATA%\b3bfd04c.exe



The following files are created:

%SYSDIR%\spool\prtprocs\w32x86\17wSKU.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/FakeAV.LBQ

%WINDIR%\Tasks\b3bfd04c.job
%SYSDIR%\ernel32.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/FakeAV.LBQ

 Registry The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Security Center]
   Old value:
   • "UacDisableNotify"=dword:00000000
   New value:
   • "UacDisableNotify"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
   Old value:
   • "NameServer"="%IP address%"
   • "DhcpNameServer"="%IP address%"
   New value:
   • "NameServer"="93.188.163.235,93.188.166.215"
   • "DhcpNameServer"="93.188.163.235,93.188.166.215"

– [HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
   %CLSID%
   Old value:
   • "NameServer"="%IP address%"
   • "DhcpNameServer"="%IP address%"
   New value:
   • "NameServer"="93.188.163.235,93.188.166.215"
   • "DhcpNameServer"="93.188.163.235,93.188.166.215"

 Injection – It injects itself into processes.

    All of the following processes:
   • spoolsv.exe
   • svchost.exe


Description inserted by Patrick Schoenherr on Monday, July 26, 2010
Description updated by Patrick Schoenherr on Monday, July 26, 2010

Back . . . .