ThreatExpert Report: Trojan-PSW.Win32.Agent.mgm, AntiVirus2009, Winfixer, Mal/FakeVir-G..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 6 April 2009, 11:58:11
Processing time: 7 min 30 sec
Submitted sample:

File MD5: 0xFEED65765E05FCF542FF797147A88F8F
File SHA-1: 0xCDFBE1B64364586F86FF12AF699D9420B3EBFD19
Filesize: 1,416,600 bytes
Alias:

AntiVirus2009 [Symantec]
Trojan-PSW.Win32.Agent.mgm [Kaspersky Lab]
Winfixer [McAfee]
Mal/FakeVir-G [Sophos]
Trojan-PWS.Win32.Agent [Ikarus]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! The following threat categories were identified:

Threat Category	Description
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)
	A program that downloads files to the local computer that may represent security risk

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%CommonPrograms%\VirusRemover2009\VirusRemover2009.lnk	709 bytes	MD5: 0x768E23008882A0641E5D79E8A37E2D36 SHA-1: 0x1EEA36AE1BA2D56D45D13940782E4D46E651EF25	(not available)
2	%DesktopDir%\VirusRemover2009.lnk	697 bytes	MD5: 0xF520304E059614EE18BFDF1B454EB238 SHA-1: 0x6EF50EA47E259B2CB191A5EA2B34674536FAEC6B	(not available)
3	%ProgramFiles%\VirusRemover2009\ExtSecurityCenter.exe	850,432 bytes	MD5: 0x1D2A43723961179CCE7E31AA7EA68F36 SHA-1: 0x8893AD77951A859605BF47B632A0CCD8D18325AB	VirusRemover2008 [Symantec] not-a-virus:FraudTool.Win32.SecurityCenter.aq [Kaspersky Lab] Generic PUP.x [McAfee] Fraudtool.Win32.VRM2009 [Ikarus]
4	%ProgramFiles%\VirusRemover2009\ExtSecurityCenter.ini	165 bytes	MD5: 0x055DCABF891400275C8BD9CA026C4F64 SHA-1: 0x1FC1E544C1287DCB95B349BDEB994B0710E35011	(not available)
5	%ProgramFiles%\VirusRemover2009\ExtSecurityCenter.xml	932,213 bytes	MD5: 0xE53626FD525D2D358DE10C860109E7A7 SHA-1: 0x122EE6BA4BCE9633CF15EBAC6B26A2117A62C423	Fraudtool.Win32.VRM2009 [Ikarus]
6	%ProgramFiles%\VirusRemover2009\ni_d.exe	255,488 bytes	MD5: 0x6CC89B09C84A688446E727CFFABA5BBA SHA-1: 0xEA171ED6C4F0A33B3390951618EB09F3AA51A2C5	Trojan-PSW.Agent!sd6 [PCTools] Downloader [Symantec] Trojan-PSW.Win32.Agent.mgm [Kaspersky Lab] Generic Downloader.x [McAfee] Mal/Generic-A [Sophos] Fraudtool.Win32.FakeAV [Ikarus] Win-Trojan/Agent.255488.O [AhnLab]
7	%ProgramFiles%\VirusRemover2009\PP.exe	249,856 bytes	MD5: 0xE3BBFDBA2ED6A034613AE11ABAB8EA68 SHA-1: 0x218E76B0D7D1DA11E56F404949CD23744C5B4198	(not available)
8	%ProgramFiles%\VirusRemover2009\Uninstall.exe	60,733 bytes	MD5: 0x90CC9029724A00737C05CFD3D2F15A8E SHA-1: 0xBE95856476AD5D27981CA742FB41C21FD4BC5B39	Mal/FakeVir-G [Sophos]
9	%ProgramFiles%\VirusRemover2009\Viruses.bdt	122 bytes	MD5: 0x5A75F0A2C3FC1C68B47BD7DBC913E787 SHA-1: 0xA3350BFAA4DCFB48B4BA3FDE94B8D097A9CE0945	(not available)
10	%ProgramFiles%\VirusRemover2009\VRM2009.exe	3,362,816 bytes	MD5: 0x65BC0F91F92AD9A78F4D95AC4C4B474E SHA-1: 0x6B5FDC3856FE4558CF2C98E8F535748A594990A0	AntiVirus2009 [Symantec] Mal/FakeVir-G [Sophos] Program:Win32/Winfixer [Microsoft] Generic.Win32.Malware [Ikarus]
11	[file and pathname of the sample #1]	1,416,600 bytes	MD5: 0xFEED65765E05FCF542FF797147A88F8F SHA-1: 0xCDFBE1B64364586F86FF12AF699D9420B3EBFD19	AntiVirus2009 [Symantec] not-a-virus:FraudTool.Win32.SecurityCenter.aq, Trojan-PSW.Win32.Agent.mgm [Kaspersky Lab] Winfixer [McAfee] Mal/FakeVir-G [Sophos] Trojan-PWS.Win32.Agent [Ikarus]

Notes:

%CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).
%DesktopDir% is a variable that refers to the file system directory used to physically store file objects on the desktop. A typical path is C:\Documents and Settings\[UserName]\Desktop.
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directories were created:

%CommonPrograms%\VirusRemover2009
%ProgramFiles%\VirusRemover2009

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
VRM2009.exe	%ProgramFiles%\VirusRemover2009\VRM2009.exe	3,387,392 bytes
ExtSecurityCenter.exe	%ProgramFiles%\VirusRemover2009\ExtSecurityCenter.exe	880,640 bytes
ni_d.exe	%ProgramFiles%\virusremover2009\ni_d.exe	274,432 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	217,088 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusRemover2009
HKEY_LOCAL_MACHINE\SOFTWARE\VirusRemover2009
HKEY_LOCAL_MACHINE\SOFTWARE\{5222008A-DD62-49c7-A735-7BD18ECC7350}
HKEY_CURRENT_USER\Software\ExtSecurityCenter
HKEY_CURRENT_USER\Software\ExtSecurityCenter\WebMonNotifier
HKEY_CURRENT_USER\Software\VirusRemover2009
HKEY_CURRENT_USER\Software\{5222008A-DD62-49c7-A735-7BD18ECC7350}

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform]

3P_UVSM 1.0.9.0 = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

VirusRemover2009 = "%ProgramFiles%\VirusRemover2009\VRM2009.exe"

so that VRM2009.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusRemover2009]

DisplayName = "VirusRemover2009"
UninstallString = "%ProgramFiles%\VirusRemover2009\uninstall.exe"
NoModify = 0x00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\VirusRemover2009]

Abbr = "3P_UVSM"
InstallPath = "%ProgramFiles%\VirusRemover2009"
LicenseAccepted = 01
Upd_size = 00 00 00 00
InstallDate = D9 07 04 00 01 00 06 00 0C 00 3A 00 2C 00 86 01
ActivationCode = 31 32 46 36 45 46 42 44 2D 37 43 30 35 2D 34 37 34 33 2D 39 30 31 38 2D 38 30 43 39 42 41 31 37 41 41 36 31
InfectionCount = 01 00 00 00
LastScanTime = D9 07 04 00 01 00 06 00 0D 00 00 00 2B 00 AB 00
TotalScanCount = 03 00 00 00

[HKEY_LOCAL_MACHINE\SOFTWARE\{5222008A-DD62-49c7-A735-7BD18ECC7350}]

Version = 33 50 5F 56 53 4D

[HKEY_CURRENT_USER\Software\ExtSecurityCenter\WebMonNotifier]

Balloon = 29

[HKEY_CURRENT_USER\Software\VirusRemover2009]

scns_time = F5 5E DA 49 00 00 00 00

Other details

Analysis of the file resources indicate the following possible countries of origin:

	Russian Federation
	Ukraine

To mark the presence in the system, the following Mutex objects were created:

AntiMalwareMaster3B6870C4-797E-480a-8A36-26DA4E308875
ExternalSecurityCenterc67c016561c74281984d1fa66ae17c35
{XPSC-32291332-7DCD-48f4-BA67-C195EB7D5A97}
SFSMT-85E1C8F6-FA13-4069-A671-5487F1D3DA06
{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flagECILMEAAEJGAAAAA
{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flagECILMEAAILAAAAAA
{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flagECILMEAAAEHAAAAA
AntiMalwareMasterAntiMalwareMaster242924B7-C836-49b8-8572-1E91922CA594
sp_instance_mutex_2641991737
{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flagECILMEAAABDAAAAA

The data identified by the following URLs was then requested from the remote web server:

http://windowsupdate.microsoft.com/
http://windowsupdate.microsoft.com
?action=38&pc_id=525497056&abbr=3P_UVSM_5712_9.0
?action=5&pc_id=525497056&abbr=3P_UVSM_5712_9.0

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.