Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/FakeAV.anm
Date discovered:14/07/2011
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:524.288 Bytes
MD5 checksum:88F32B47676BEA874374EE2CDDF5EE5A
VDF version:7.11.11.156 - Thursday, July 14, 2011
IVDF version:7.11.11.156 - Thursday, July 14, 2011

 General Aliases:
   •  TrendMicro: TROJ_VUNDO.SMIB
   •  Sophos: Mal/FakeAV-MQ
     Microsoft: Rogue:Win32/FakeRean


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows 7


Side effects:
   • Drops files
    Falsely reports malware infection or system problems and offers to fix them if the user buys the application.
   • Registry modification


Right after execution the following information is displayed:


 Files It copies itself to the following location:
   • %HOME%\Local Settings\Application Data\%random character string%.exe



It deletes the initially executed copy of itself.

 Registry To each registry key one of the values is added in order to run the processes after reboot:

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "%random character string%"="%APPDATA%\%random character string%.exe"

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "ctfmon.exe"="%SYSDIR%\ctfmon.exe"
   • "2806989990"="%HOME%\Local Settings\Application Data\%random character string%.exe"



It creates the following entries in order to bypass the Windows XP firewall:

[HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile]
   • "EnableFirewall"=dword:00000000
   • "DoNotAllowExceptions"=dword:00000000
   • "DisableNotifications"=dword:00000001

[HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\DomainProfile]
   • "EnableFirewall"=dword:00000000
   • "DoNotAllowExceptions"=dword:00000000
   • "DisableNotifications"=dword:00000001



The following registry key is added:

[HKCR\.exe\shell\open\command]
   • "(Default)"="\"%HOME%\Local Settings\Application Data\%random character string%.exe\" -a \"%1\" %*"
   • "IsolatedCommand"="\"%1\" %*"

 Miscellaneous Accesses internet resources:
   • **********owonido.com; **********ijeqipif.com;
      **********ulaxavys.com; **********ihylite.com;
      **********yhudesu.com; **********okelara.com;
      **********ekekejepuvo.com; **********osozupuf.com;
      **********tiroda.com; **********uqaroxos.com;
      **********igijito.com; **********omumehyn.com;
      **********inyfybex.com; **********izesax.com;
      **********rosoft.com; **********ihynybihy.com;
      **********yruqyn.com; **********oloquv.com;
      **********arucukom.com; **********akywuseleri.com;
      **********exyposenebi.com; **********yhixasuhu.com;
      **********ijixiwidaz.com; **********ucyvybumyka.com;
      **********ocyril.com; **********igicigisav.com;
      **********hubolype.com; **********urihezoqe.com;
      **********yvasibi.com; **********yraceke.com;
      **********icofez.com; **********olidejypo.com;
      **********uzyrywovaj.com; **********ecikodovi.com;
      **********uhuziqys.com; **********yvagyxut.com;
      **********unider.com; **********ipijuxoj.com;
      **********apehyni.com; **********ysasowebaty.com;
      **********jajyb.com; **********wiguxake.com;
      **********lyxagesop.com; **********rezaba.com;
      **********icefydyn.com; **********ebelywa.com;
      **********ybilyxu.com; **********aziweboxe.com

 File details Programming language:
The malware program was written in MS Visual C++.

Description inserted by Andrei Ilie on Friday, October 7, 2011
Description updated by Andrei Ilie on Monday, October 10, 2011

Back . . . .