Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/FakeSysdef.A.873
Date discovered:25/05/2011
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:478.720 Bytes
MD5 checksum:5AA0177803695290BCA22BCE79802845
VDF version:7.11.08.127 - Wednesday, May 25, 2011
IVDF version:7.11.08.127 - Wednesday, May 25, 2011

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  TrendMicro: TROJ_KRYPTO.SMIN
   •  Sophos: Mal/FakeAV-LS
   •  Microsoft: Trojan:Win32/FakeSysdef


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7


Side effects:
   • Drops files
   • Falsely reports malware infection or system problems and offers to fix them if the user buys the application.
   • Lowers security settings
   • Registry modification
   • Pricetrap function - user is fooled into making a costly subscription


Right after execution the following information is displayed:





 Files It copies itself to the following location:
   • %ALLUSERSPROFILE%\Application Data\%random character string%.exe



It renames the following files:

    •  %ALLUSERSPROFILE%\Start Menu\%all subdirectories% into %TEMPDIR%\smtmp\1\*
    •  %APPDATA%\Microsoft\Internet Explorer\Quick Launch\* into %TEMPDIR%\smtmp\2\*



It deletes the initially executed copy of itself.



The following file is created:

– %ALLUSERSPROFILE%\Application Data\%number%.exe Further investigation pointed out that this file is malware, too. Detected as: TR/FakeSysdef.A.1023

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "%random character string%"="%ALLUSERSPROFILE%\Application Data\%random character string%.exe"



The following registry keys are added:

– [HKCU\Software\Microsoft\Internet Explorer\Download]
   • "CheckExeSignatures"="no"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   • "DisableTaskMgr"=dword:00000001

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
   • "DisableTaskMgr"=dword:0000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   • "ShowSuperHidden"=dword:00000000
   • "Hidden"=dword:00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\
   ActiveDesktop]
   • "NoChangingWallPaper"=dword:00000001

– [HKCU\Software]
   • "75fa38b7-8b94-4995-ad32-52e938867954"=""

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   • "NoDesktop"=dword:00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\
   ActiveDesktop]
   • "NoChangingWallPaper"=dword:00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\
   Associations]
   • "LowRiskFileTypes"="/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:"

 Miscellaneous Accesses internet resources:
   • http://**********ckfer.org/pica1/531-direct
   • http://**********dconsonant.org/pica1/516-direct
   • http://**********rchafternoon.org/404.php?type=stats&affid=516&subid=02&awok
   • http://**********rchbeen.org/404.php?type=stats&affid=531&subid=02&awok
   • http://**********rchbottle.org/pica1/516-direct
   • http://**********rchbowl.org/pica1/531-direct


Mutex:
It creates the following Mutex:
   • 86e8a495-357c-437c-b6e9-13e757bfabab

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Beschrijving ingevoegd door Andrei Ilie op vrijdag 26 augustus 2011
Beschrijving bijgewerkt door Andrei Ilie op donderdag 1 september 2011

Terug . . . .
https:// Dit venster is voor uw veiligheid gecodeerd.