Virus:TR/FakeAV.HM.1
Date discovered:06/08/2010
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:2.078.208 Bytes
MD5 checksum:8ebc07e25eb95adc7236406937728d18
IVDF version:7.10.10.99 - Friday, August 6, 2010

 General Method of propagation:
   • No own spreading routine


Alias:
   •  Mcafee: FakeAlert-SysAV.a


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Drops malicious files
   • Falsley reports malware infection or system problems and offers to fix them if the user buys the application.
   • Registry modification


Right after execution the following information is displayed:



 Files It copies itself to the following location:
   • %PROGRAM FILES%\Sysinternals Antivirus\Sysinternals Antivirus.exe

– %HOME%\Desktop\Sysinternals Antivirus.lnk
%PROGRAM FILES%\svchost.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Agent.25600.AA

%PROGRAM FILES%\wp4.dat
%PROGRAM FILES%\wp3.dat
%PROGRAM FILES%\adc_w32.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/BHO.CK

%PROGRAM FILES%\alggui.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Agent.42496.AA

%TEMPDIR%\win1.tmp
%PROGRAM FILES%\nuar.old
%PROGRAM FILES%\scdata\dbsinit.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/FakeSC.A

 Registry It registers a browser helper object (BHO) by adding the following key:

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\
   Browser Helper Objects\{149256D5-E103-4523-BB43-2CFB066839D6}]


The following registry keys are added:

– [HKCU\Software\Sysinternals Antivirus]
– [HKCU\Software\Sysinternals Antivirus\Sysinternals Antivirus]
– [HKCU\Software\Sysinternals Antivirus\Sysinternals Antivirus\
   setdata]
– [HKCR\CLSID\{149256D5-E103-4523-BB43-2CFB066839D6}]
   • "(Default)"="ADC PlugIn"

– [HKCR\CLSID\{149256D5-E103-4523-BB43-2CFB066839D6}\InprocServer32]
   • "(Default)"="%PROGRAM FILES%\adc_w32.dll"
   • "ThreadingModel"="Apartment"

– [HKCR\exefile\shell\open\command]
   • "(Default)"="%PROGRAM FILES%\alggui.exe "%1" %*"

 Injection – It injects itself into a process.

    Process name:
   • %PROGRAM FILES%\svchost.exe

   If the malware fails, it terminates itself.
   If the malware succeeds, it displays the following:


Description inserted by Patrick Schoenherr on Friday, August 6, 2010
Description updated by Patrick Schoenherr on Friday, August 6, 2010

Back . . . .