English
Deutsch
Français
Español
Italiano
Home
Virus Info
TR/Dldr.FraudLo.sxm
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
TechBlog
TR/Dldr.FraudLo.sxm - Trojan
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
TR/Dldr.FraudLo.sxm
Date discovered:
13/07/2009
Type:
Security Privacy Risk
In the wild:
Yes
Reported Infections:
Low
Distribution Potential:
Low
Damage Potential:
Low
Static file:
No
VDF version:
7.01.04.223
- Tue, 14 Jul 2009 11:04 (GMT+1)
General
Method of propagation:
• No own spreading routine
Aliases:
• Kaspersky: Trojan-Downloader.Win32.FraudLoad.wner
• F-Secure: Trojan-Downloader.Win32.FraudLoad.wner
• Eset: Win32/Kryptik.AAL
Platform / OS:
• Windows XP
Side effects:
• Downloads malicious files
• Registry modification
Right after execution the following information is displayed:
Files
It copies itself to the following location:
• %program files%\HomeAntivirus2010\Uninstall.exe
The following files are created:
– Non malicious files:
• %program files%\HomeAntivirus2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
• %program files%\HomeAntivirus2010\Microsoft.VC80.CRT\msvcm80.dll
• %program files%\HomeAntivirus2010\Microsoft.VC80.CRT\msvcp80.dll
• %program files%\HomeAntivirus2010\Microsoft.VC80.CRT\msvcr80.dll
• %program files%\HomeAntivirus2010\data\daily.cvd
• %program files%\HomeAntivirus2010\pthreadVC2.dll
• %program files%\HomeAntivirus2010\htmlayout.dll
•
%randomly chosen directory%
\
%random words%
– Temporary files that might be deleted afterwards:
• %tempdir%\prm
%number%
• %tempdir%\wr
%number%
• %tempdir%\clamav-%32 random hexa numbers%\daily.db
• %tempdir%\clamav-%32 random hexa numbers%\daily.hdb
• %tempdir%\clamav-%32 random hexa numbers%\daily.hdu
• %tempdir%\clamav-%32 random hexa numbers%\daily.mdb
• %tempdir%\clamav-%32 random hexa numbers%\daily.ndb
• %tempdir%\clamav-%32 random hexa numbers%\daily.wdb
• %tempdir%\clamav-%32 random hexa numbers%\daily.pdb
• %tempdir%\clamav-%32 random hexa numbers%\daily.cfg
• %tempdir%\clamav-%32 random hexa numbers%\daily.fp
• %tempdir%\clamav-%32 random hexa numbers%\daily.zmd
• %tempdir%\clamav-%32 random hexa numbers%\daily.mdu
• %tempdir%\clamav-%32 random hexa numbers%\daily.ndu
• %tempdir%\clamav-%32 random hexa numbers%\daily.info
– %program files%\HomeAntivirus2010\HomeAntivirus2010.exe Furthermore it gets executed after it was fully created. Detected as: TR/Dldr.FraudLo.sxm
– %program files%\HomeAntivirus2010\AVEngn.dll Detected as: TR/Dldr.FraudLo.sxm
– %program files%\HomeAntivirus2010\wscui.cpl Detected as: TR/Dldr.FraudLo.sxm
– %systemdir%\_scui.cpl Detected as: TR/Dldr.FraudLo.sxm
It tries to download some files:
– The location is the following:
• http://user:@bugermanosatora.com/files/ha21/Binaries1.cab
It is saved on the local hard drive under:
%temporary internet files%
– The location is the following:
• http://user:************@bugermanosatora.com/files/BinariesAVE.cab
It is saved on the local hard drive under:
%temporary internet files%
– The location is the following:
• http://user:************@bugermanosatora.com/files/BinariesAdd.cab
It is saved on the local hard drive under:
%temporary internet files%
– The location is the following:
• http://user:************@bugermanosatora.com/files/ha21/BinariesGUI.cab
It is saved on the local hard drive under:
%temporary internet files%
– The location is the following:
• http://user:************@bugermanosatora.com/files/BinariesSC.cab
It is saved on the local hard drive under:
%temporary internet files%
– The location is the following:
• http://user:************@bugermanosatora.com/files/BinariesUpd.cab
It is saved on the local hard drive under:
%temporary internet files%
Registry
The following registry key is added in order to run the process after reboot:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• "Home Antivirus 2010"="\"
%PROGRAM FILES%
\HomeAntivirus2010\HomeAntivirus2010.exe\" /hide"
The following registry keys are added:
– [HKCU\Control Panel\don't load]
• "scui.cpl"="No"
• "wscui.cpl"="No"
– [HKLM\SOFTWARE\HomeAntivirus2010]
• "info"="
%current date%
"
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
HomeAntivirus2010]
• "DisplayName"="Home Antivirus 2010"
• "UninstallString"="
%PROGRAM FILES%
\HomeAntivirus2010\Uninstall.exe"
– [HKLM\SOFTWARE\Microsoft\Security Center]
Old value:
• "FirewallDisableNotify"=dword:00000000
New value:
• "FirewallDisableNotify"=dword:00000001
– [HKLM\SOFTWARE\Microsoft\Security Center]
Old value:
• "UpdatesDisableNotify"=dword:00000000
New value:
• "UpdatesDisableNotify"=dword:00000001
– [HKLM\SOFTWARE\Microsoft\Security Center]
Old value:
• "AntiVirusDisableNotify"=dword:00000000
New value:
• "AntiVirusDisableNotify"=dword:00000001
See a brief description
here
.
Description inserted by Mihai Dilimot on Mon, 10 Aug 2009 13:05 (GMT+1)
Description updated by Mihai Dilimot on Tue, 11 Aug 2009 09:43 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
TR/Crypt.XPACK.Gen
HEUR/HTML.Malware
HTML/Infected.WebPage.Gen
ADSPY/AdSpy.Gen
HTML/Crypted.Gen
BDS/Inject.JA
Worm/VB.aki.2
TR/Agent.tvb
TR/Bagle.GE
BDS/Agent.zwa
Get comfortable up to the minute info from Avira as
Detects and removes distinct malware and its variants.
Download here
Click
here
to get the panel...
© 2009 Avira GmbH
Copyright
|
Privacy
|
Sitemap
|
Feedback
|
Imprint
|
FAQ
|
Contact
Virus Info TR/Dldr.FraudLo.sxm
Print this page
.gif)
