ThreatExpert Report: Trojan.Generic, Trojan Horse, Trojan.Win32.FraudPack.abel, Mal/FakeAV-BR..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 25 November 2009, 15:47:21
Processing time: 7 min 23 sec
Submitted sample:

File MD5: 0x1D6B479116F4F7E54859CB8EC97EA674
File SHA-1: 0x8F154C2BAB6255AEAF35B9033ECE5DCF84D244AE
Filesize: 24,848 bytes
Alias:

Trojan.Generic [PCTools]
Trojan Horse [Symantec]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Modifies some system settings that may have negative impact on overall system security state.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
RogueAntiSpyware.AdvancedAntivirus	RogueAntispyware.AdvancedAntivirus is another fake antispyware that tries to get money from users by prompting them to register and buy their products.

Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%DesktopDir%\Advanced Virus Remover.lnk	737 bytes	MD5: 0x20D57C4D152C854509FDA25BF9CA0E7E SHA-1: 0x3A38E36A3701B99A41332CD50E9973758C257123	(not available)
2	%StartMenu%\Advanced Virus Remover.lnk	737 bytes	MD5: 0x92B6C41A7F0B15A73692AADC14DF8560 SHA-1: 0x5754F09C91EAD0F980853E493BA4ADB8FD4B392E	(not available)
3	%ProgramFiles%\AdvancedVirusRemover\AVR.exe %System%\AVR10.exe	941,840 bytes	MD5: 0xCF822F43BF8DEF3057650DE735F605D6 SHA-1: 0x9200FFC9C52F36CDFD8CBE688DC176B0D511748B	Trojan.Win32.FraudPack.abel [Kaspersky Lab] Mal/FakeAV-BR [Sophos] Gen.Trojan [Ikarus]
4	%System%\41.exe	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
5	[file and pathname of the sample #1] %System%\winlogon86.exe %System%\winupdate86.exe	24,848 bytes	MD5: 0x1D6B479116F4F7E54859CB8EC97EA674 SHA-1: 0x8F154C2BAB6255AEAF35B9033ECE5DCF84D244AE	Trojan.Generic [PCTools] Trojan Horse [Symantec]
6	%System%\winhelper86.dll	22,528 bytes	MD5: 0xD30C2609E4FC8B48D03775144DC79073 SHA-1: 0xCD58B8586BF664ACA713998E7B85A5FF5862DF80	(not available)

Notes:

%DesktopDir% is a variable that refers to the file system directory used to physically store file objects on the desktop. A typical path is C:\Documents and Settings\[UserName]\Desktop.
%StartMenu% is a variable that refers to the file system directory containing Start menu items. A typical path is C:\Documents and Settings\[UserName]\Start Menu.
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directory was created:

%ProgramFiles%\AdvancedVirusRemover

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
winupdate86.exe	%System%\winupdate86.exe	143,360 bytes
winlogon86.exe	%System%\winlogon86.exe	143,360 bytes
AVR.exe	%ProgramFiles%\advancedvirusremover\avr.exe	2,940,928 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_CURRENT_USER\Software\AVR

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop]

NoChangingWallpaper = 0x00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]

NoSetActiveDesktop = 0x00000001
NoActiveDesktopChanges = 0x00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

winupdate86.exe = "%System%\winupdate86.exe"

so that winupdate86.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software]

8636065b-fef0-4255-b14f-54639f7900a4 = "8636065b-fef0-4255-b14f-54639f7900a4"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

NoSetActiveDesktop = 0x00000001
NoActiveDesktopChanges = 0x00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]

NoChangingWallpaper = 0x00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

DisableTaskMgr = 0x00000001

to prevent users from starting Task Manager (Taskmgr.exe)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

Advanced Virus Remover = "%ProgramFiles%\AdvancedVirusRemover\AVR.exe"

so that AVR.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\AVR]

LastVFC = "25"
VirList = "52|5|47|36|0|13|41|18|52|36|54|41|7|34|7|55|23|56|22|5|6|17|54|15|35|17"
LastD = "25"

The following Registry Value was modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

Userinit =

Other details

Analysis of the file resources indicate the following possible country of origin:

Russian Federation

The following ports were open in the system:

Port	Protocol	Process
1055	TCP	winupdate86.exe (%System%\winupdate86.exe)
1058	TCP	winupdate86.exe (%System%\winupdate86.exe)
1059	TCP	winupdate86.exe (%System%\winupdate86.exe)
1060	TCP	winupdate86.exe (%System%\winupdate86.exe)

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
91.207.116.55	80

The data identified by the following URLs was then requested from the remote web server:

http://downloadavr11.com/loads.php?code=0000920
http://downloadavr11.com/dfghfghgfj.dll
http://downloadavr11.com/cgi-bin/download.pl?code=0000920
http://testavrdown.com/cgi-bin/get.pl?l=0000920

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.