Full description

Virus:	TR/FakeAV.fmi
Date discovered:	30/07/2010
Type:	Trojan
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Low to medium
Damage Potential:	Low to medium
Static file:	Yes
File size:	2.752.512 Bytes
MD5 checksum:	99e2e3c8c2aeb5fe8a572d5a0B45571f
IVDF version:	7.10.09.88 - Wednesday, July 14, 2010

General Method of propagation:
   • No own spreading routine

Aliases:
   • Symantec: Trojan.FakeAV!gen32
   • Kaspersky: Packed.Win32.Katusha.o
   • Sophos: Mal/FakeAV-BW
   • Microsoft: Trojan:Win32/FakeVimes
   • Panda: Adware/SecurityMasterAV
   • PCTools: Trojan.FakeAV
   • Eset: Win32/Kryptik.FMZ
   • AhnLab: Win-Trojan/Fakeav.2752512

Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7
   • Drops files
   • Drops malicious files

Right after execution the following information is displayed:

Files It copies itself to the following locations:
   • c:\%current directory%\SecurityMasterAV.bin
   • %ALLUSERSPROFILE%\Application Data\%randomly chosen directory%\%random character string%.exe

It modifies the following file:
   • %WINDIR%\systems32\drivers\etc\hosts

It deletes the initially executed copy of itself.

The following files are created:

– %HOME%\Recent\%random character string%.dll
– %HOME%\Recent\%random character string%.drv
– %HOME%\Recent\%random character string%.tmp
– %ALLUSERSPROFILE%\Application Data\%randomly chosen directory%\SMAV.ico
– %APPDATA%\Security Master AV\Instructions.ini
– %APPDATA%\Security Master AV\winupdate.exe
– C:\%current directory%\%random character string%.mof
– C:\%current directory%\SMAVSys\%random character string%.bd
– %ALLUSERSPROFILE%\Application Data\%randomly chosen directory%\%random character string%.cfg

Registry One of the following values is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Security Master AV"="\"%ALLUSERSPROFILE%\Application Data\%randomly chosen directory%\%random character string%.exe\" /s /d"

The following registry keys are added:

– [HKCU\Software\Microsoft\Internet Explorer]
   • "IIL"=dword:00000000
   • "ltHI"=dword:00000000
   • "ltTST"=dword:00008e02

– [HKCU\Software\Microsoft\Internet Explorer\BrowserEmulation]
   • "MSCompatibilityMode"=dword:00000000

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options]
   • "Debugger"="svchost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\a.exe]
   • "Debugger"="svchost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\aAvgApi.exe]
   • "Debugger"="svchost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AAWTray.exe]
   • "Debugger"="svchost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\adaware.exe]
   • "Debugger"="svchost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avmailc.exe]
   • "Debugger"="svchost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\belt.exe]
   • "Debugger"="svchost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\cfinet.exe]
   • "Debugger"="svchost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\dcomx.exe]
   • "Debugger"="svchost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ent.exe]
   • "Debugger"="svchost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\fch32.exe]
   • "Debugger"="svchost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\fullsoft.dll]
   • "Debugger"="svchost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\hbinst.exe]
   • "Debugger"="svchost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\htmlmm.ocx]
   • "Debugger"="svchost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\icmon.exe]
   • "Debugger"="svchost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\keenvalue.exe]
   • "Debugger"="svchost.exe"

– [HKCU\Software\3]
– [HKCR\SecurityMasterAV.DocHostUIHandler\Clsid]
   • @="{3F2BBC05-40DF-11D2-9455-00104BC936FF}"

– [HKCR\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}]
   • @="Implements DocHostUIHandler"

– [HKCR\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32]
   • @="c:\\xxx\\SecurityMasterAV.exe"

– [HKCR\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID]
   • @="SecurityMasterAV.DocHostUIHandler"

– [HKCR\SecurityMasterAV.DocHostUIHandler]
   • @="Implements DocHostUIHandler"

– [HKCU\Software\Microsoft\Internet Explorer\SearchScopes]
   • "URL"="http://findgala.com/?&uid=2129&q={searchTerms}"

The following registry keys are changed:

– [HKCU\Software\Microsoft\Internet Explorer\Download]
   Old value:
   • "CheckExeSignatures"="yes"
   • "RunInvalidSignatures"=dword:00000000
   New value:
   • "CheckExeSignatures"="no"
   • "RunInvalidSignatures"=dword:00000001

Hosts The host file is modified as explained:

– In this case already existing entries remain unmodified.

– Access to the following domains are redirected to other destinations:
   • 74.125.45.100 4-open-davinci.com
   • 74.125.45.100 securitysoftwarepayments.com
   • 74.125.45.100 privatesecuredpayments.com
   • 74.125.45.100 secure.privatesecuredpayments.com
   • 74.125.45.100 getantivirusplusnow.com
   • 74.125.45.100 secure-plus-payments.com
   • 74.125.45.100 www.getantivirusplusnow.com
   • 74.125.45.100 www.secure-plus-payments.com
   • 74.125.45.100 www.getavplusnow.com
   • 74.125.45.100 safebrowsing-cache.google.com
   • 74.125.45.100 urs.microsoft.com
   • 74.125.45.100 www.securesoftwarebill.com
   • 74.125.45.100 secure.paysecuresystem.com
   • 74.125.45.100 paysoftbillsolution.com
   • 74.125.45.100 protected.maxisoftwaremart.com

File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Carlos Valero Llabata on Friday, August 6, 2010
Description updated by Carlos Valero Llabata on Friday, August 6, 2010

Back . . . .

Featured PC protection

Free products

Most popular

All products

Bundled Solutions

Workstation

Server

Bundled Solutions

Mail Gateways

Web Gateways

Collaboration Platforms

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools