Virus:TR/FakeAV.oke
Date discovered:06/12/2011
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:445.576 Bytes
MD5 checksum:7a14060028698e2a2c5c64eb262c6868
VDF version:7.11.19.02 - Tuesday, December 6, 2011
IVDF version:7.11.19.02 - Tuesday, December 6, 2011

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan.Win32.Jorik.Fraud.jor
   •  Eset: Win32/Kryptik.WTQ


Platforms / OS:
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Downloads a file
   • Downloads a malicious file
   • Falsely reports malware infection or system problems and offers to fix them if the user buys the application.
   • Registry modification


Right after execution the following information is displayed:



 Files It copies itself to the following location:
   • %APPDATA%\gPtgkqBGrot.exe
Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too.



It tries to download a file:

– The location is the following:
   • http://danelubinnalas.com/?ylO**********
It is saved on the local hard drive under: %TEMPDIR%\%random character string%.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Crypt.XPACK.Gen

 Registry The following registry keys are added:

– [HKCU\Control Panel]
   • "nsreg"="dword:0x4ee4fbe1"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   • "Start_ShowControlPanel"="dword:0x00000000"
   • "Start_ShowHelp"="dword:0x00000000"
   • "Start_ShowMyComputer"="dword:0x00000000"
   • "Start_ShowMyDocs"="dword:0x00000000"
   • "Start_ShowMyGames"="dword:0x00000000"
   • "Start_ShowMyMusic"="dword:0x00000000"
   • "Start_ShowMyPics"="dword:0x00000000"
   • "Start_ShowNetConn"="dword:0x00000000"
   • "Start_ShowNetPlaces"="dword:0x00000000"
   • "Start_ShowPrinters"="dword:0x00000000"
   • "Start_ShowRecentDocs"="dword:0x00000000"
   • "Start_ShowRun"="dword:0x00000000"
   • "Start_ShowSearch"="dword:0x00000000"
   • "Start_ShowSetProgramAccessAndDefaults"="dword:0x00000000"
   • "Start_ShowUser"="dword:0x00000000"
   • "TaskbarGlomLevel"="dword:0x00000002"
   • "TaskbarGlomming"="dword:0x00000000"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer]
   • "EnableAutoTray"="dword:0x00000000"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband]
   • ""=""
   • "_Favorites"=""

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\
   ActiveDesktop]
   • ""=""
   • "HidNoChangingWallPaperden"="dword:0x00000001"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\
   Associations]
   • ""=""
   • "LowRiskFileTypess"=".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\
   Attachments]
   • ""=""
   • "SaveZoneInformation"="dword:0x00000001"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   • "NoDesktop"="dword:0x00000001"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   • ""=""
   • "DisableTaskMgr"="dword:0x00000001"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
   • "DisableTaskMgr"="dword:0x00000001"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "gPtgkqBGrot.exe"="C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\gPtgkqBGrot.exe"

– [HKEY_USERS\S-1-5-21-606747145-1647877149-1801674531-500\
   Control Panel]
   • "5761b2dc-ce77-4bfa-b965-6f33b1867cf2"=""
   • "7f6b3266-31c5-43a8-9547-e7911ad6fb33"=""
   • "nsreg"="dword:0x4ee4fbe1"

– [HKEY_USERS\S-1-5-21-606747145-1647877149-1801674531-500\Software\
   Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   • "Start_ShowControlPanel"="dword:0x00000000"
   • "Start_ShowHelp"="dword:0x00000000"
   • "Start_ShowMyComputer"="dword:0x00000000"
   • "Start_ShowMyDocs"="dword:0x00000000"
   • "Start_ShowMyGames"="dword:0x00000000"
   • "Start_ShowMyMusic"="dword:0x00000000"
   • "Start_ShowMyPics"="dword:0x00000000"
   • "Start_ShowNetConn"="dword:0x00000000"
   • "Start_ShowNetPlaces"="dword:0x00000000"
   • "Start_ShowPrinters"="dword:0x00000000"
   • "Start_ShowRecentDocs"="dword:0x00000000"
   • "Start_ShowRun"="dword:0x00000000"
   • "Start_ShowSearch"="dword:0x00000000"
   • "Start_ShowSetProgramAccessAndDefaults"="dword:0x00000000"
   • "Start_ShowUser"="dword:0x00000000"
   • "TaskbarGlomLevel"="dword:0x00000002"
   • "TaskbarGlomming"="dword:0x00000000"

– [HKEY_USERS\S-1-5-21-606747145-1647877149-1801674531-500\Software\
   Microsoft\Windows\CurrentVersion\Explorer]
   • "EnableAutoTray"="dword:0x00000000"

– [HKEY_USERS\S-1-5-21-606747145-1647877149-1801674531-500\Software\
   Microsoft\Windows\CurrentVersion\Explorer\Taskband]
   • ""=""
   • "_Favorites"=""

– [HKEY_USERS\S-1-5-21-606747145-1647877149-1801674531-500\Software\
   Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
   • ""=""
   • "HidNoChangingWallPaperden"="dword:0x00000001"

– [HKEY_USERS\S-1-5-21-606747145-1647877149-1801674531-500\Software\
   Microsoft\Windows\CurrentVersion\Policies\Associations]
   • ""=""
   • "LowRiskFileTypess"=".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;"

– [HKEY_USERS\S-1-5-21-606747145-1647877149-1801674531-500\Software\
   Microsoft\Windows\CurrentVersion\Policies\Attachments]
   • ""=""
   • "SaveZoneInformation"="dword:0x00000001"
   •

– [HKEY_USERS\S-1-5-21-606747145-1647877149-1801674531-500\Software\
   Microsoft\Windows\CurrentVersion\Policies\Explorer]
   • "NoDesktop"="dword:0x00000001"

– [HKEY_USERS\S-1-5-21-606747145-1647877149-1801674531-500\Software\
   Microsoft\Windows\CurrentVersion\Policies\System]
   • ""=""
   • "DisableTaskMgr"="dword:0x00000001"



The following registry keys are changed:

– [HKCU\Software\Microsoft\Internet Explorer\Download]
   Old value:
   • "CheckExeSignatures"="yes"
   New value:
   • "CheckExeSignatures"="no"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Old value:
   • "Hidden"="dword:0x00000001"
   New value:
   • "Hidden"="dword:0x00000000"

– [HKEY_USERS\S-1-5-21-606747145-1647877149-1801674531-500\Software\
   Microsoft\Internet Explorer\Download]
   Old value:
   • "CheckExeSignatures"="yes"
   New value:
   • "CheckExeSignatures"="no"

– [HKEY_USERS\S-1-5-21-606747145-1647877149-1801674531-500\Software\
   Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Old value:
   • "Hidden"="dword:0x00000001"
   New value:
   • "Hidden"="dword:0x00000000"
   New value:
   • "Order"="hex:08,00,00,00,02,00,00,00,0c,00,00,00,01,00,00,00,00,00,00,00"
   Old value:
   • "Favorites"="hex:00,16,00,00,00,14,00,1f,80,f4,a1,59,25,d7,21,d4,11,bd,af,00,c0,\
   • ,4f,60,b9,f0,00,00,00,16,00,00,00,14,00,1f,80,f5,a1,59,25,d7,\
   • ,21,d4,11,bd,af,00,c0,4f,60,b9,f0,00,00,ff"

– [HKEY_USERS\S-1-5-21-606747145-1647877149-1801674531-500\Software\
   Microsoft\Windows\CurrentVersion\Explorer\StartPage]
   Old value:
   • "StartMenu_Balloon_Time"="hex:3a,3c,36,65,63,bd,cb,01"
   New value:
   • "StartMenu_Balloon_Time"="hex:68,b1,42,69,36,b8,cc,01"

 Process termination The following process is terminated:
   • %all running processes%


 Miscellaneous Accesses internet resources:
   • http://stepinstoneuse.com/**********.php?0Q9**********
   • http://danelubinnalas.com/?ylO**********

 File details Programming language:
 The malware program was written in MS Visual C++.

Description inserted by Martin Muench on Friday, December 9, 2011
Description updated by Martin Muench on Tuesday, December 20, 2011

Back . . . .
 
 
 
 

© 2013 Avira Operations GmbH & Co. KG. All rights reserved.

My Account

https:// This window is encrypted for your security.