Virus:TR/Hosts.AQ.1
Date discovered:09/08/2010
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium to high
Static file:Yes
File size:2.724.864 Bytes
MD5 checksum:575cb9dd8434d2e074ba24a63ac51b25
IVDF version:7.10.10.121 - Monday, August 9, 2010

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-Downloader.Win32.Agent.efqa
   •  Sophos: Mal/FakeAV-EA
   •  Avast: Win32:Crypt-HFP
   •  Microsoft: Trojan:Win32/FakeVimes
   •  Panda: Adware/MySecurityShield
   •  Eset: Win32/Kryptik.FWJ
   •  GData: Win32:Crypt-HFP
   •  AhnLab: Win-Trojan/Fakeav.2724864
   •  DrWeb: Trojan.FakeSecure.15
   •  Ikarus: Trojan.Win32.FakeVimes


Platforms / OS:
   • Windows 98
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows Vista
   • Windows 7


Side effects:
   • Drops a file
   • Drops malicious files
   • Infects files
   • Lowers security settings
   • Registry modification


Right after execution the following information is displayed:


 Files It modifies the following file:
   • %SYSDIR%\drivers\etc\hosts



It copies the following file:
    •  %SYSDIR%\drivers\etc\hosts into %SYSDIR%\drivers\etc\hosts_new



It deletes the initially executed copy of itself.



The following files are created:

– %ALLUSERSPROFILE%\Application Data\%randomly chosen directory%\%random character string%.cfg Furthermore it gets executed after it was fully created. This is a non malicious text file that contains information about the program itself.
%SYSDIR%\drivers\etc\hosts_new

 Registry The following registry key is changed:

– [HKCU\Software\Microsoft\Internet Explorer]
   New value:
   • "IIL"=-
   • "ltHI"=-
   • "ltTST"=-
   • "PRS"=-
   • "BID"=-

 Hosts The host file is modified as explained:

– In this case already existing entries remain unmodified.

– Access to the following domains are redirected to other destinations:
   • 74.125.45.100 4-open-davinci.com
   • 74.125.45.100 securitysoftwarepayments.com
   • 74.125.45.100 privatesecuredpayments.com
   • 74.125.45.100 secure.privatesecuredpayments.com
   • 74.125.45.100 getantivirusplusnow.com
   • 74.125.45.100 secure-plus-payments.com
   • 74.125.45.100 www.getantivirusplusnow.com
   • 74.125.45.100 www.secure-plus-payments.com


 File details Programming language:
 The malware program was written in Delphi.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Carlos Valero Llabata on Friday, August 13, 2010
Description updated by Carlos Valero Llabata on Friday, August 13, 2010

Back . . . .