Subscribe0 0
This Trojan may be downloaded from the following remote sites:
- http://{BLOCKED}ogle.info/tre/lena.exe/{random characters}
This Trojan adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random value} = %User Temp%\{random folder}\{random file name}.exe
This Trojan adds the following registry keys as part of its installation routine:
HKEY_CURRENT_USER\Software\yr87fk3d2dnszapq2
It also creates the following registry entry(ies) as part of its installation routine:
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\PhishingFilter
EnabledV8 = 0
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\PhishingFilter
Enabled = 0
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Download
RunInvalidSignatures = 1
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
ProxyServer = http={BLOCKED}.{BLOCKED}.0.1:8075
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
ProxyOverride = <local>
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Associations
LowRiskFileTypes = .exe
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Attachments
SaveZoneInformation = 1
It modifies the following registry key(s)/entry(ies) as part of its installation routine:
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Download
CheckExeSignatures = no
(Note: The default value data of the said registry entry is yes.)
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
ProxyEnable = 1
(Note: The default value data of the said registry entry is 0.)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Hardware Profiles\0001\Software\
Microsoft\windows\CurrentVersion\
Internet Settings
ProxyEnable = 1
(Note: The default value data of the said registry entry is 0.)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Hardware Profiles\Current\Software\
Microsoft\windows\CurrentVersion\
Internet Settings
ProxyEnable = 1
(Note: The default value data of the said registry entry is 0.)
HKEY_CURRENT_CONFIG\Software\Microsoft\
windows\CurrentVersion\Internet Settings
ProxyEnable = 1
(Note: The default value data of the said registry entry is 0.)
This Trojan displays fake alerts that warn users of infection. It also displays fake scanning results of the affected system. It then asks for users to purchase it once scanning is completed. If users decide to purchase the rogue product, users are directed to a certain website asking for sensitive information, such as credit card numbers.
It does the following:
- Connects to any of the following websites to download its component file, which Trend Micro also detects as TROJ_FAKEAV.WKA:
- http://{BLOCKED}ogle.info/tre/lena.exe/wHe46ed9e9V0100f060006R00000000102Ta9406b4e203L656e2d75730000000000
- http://{BLOCKED}ogle.info/tre/lena.exe/xHe46ed9e9V0100f060006R00000000102Ta9406b42203l0409329
- http://{BLOCKED}ogle.info/tre/lena.exe/yHe46ed9e9V0100f060006R00000000102Ta9406b42203l04093020
The aforementioned file will then connect to the following remote sites to download another malicious component, also detected as TROJ_FAKEAV.WKA:
- http://{BLOCKED}.192.250/user/xl3.php
- http://{BLOCKED}.192.250/user/up/xl3.dat
- http://{BLOCKED}ogle.info/tre/lena.exe/xHe46ed9e9V0100f060006R00000000102Ta9406b42203l0409328
- Connects to the following websites to display fake scanning result:
- http://{BLOCKED}resh.com/check?pgid=8
- http://{BLOCKED}resh.com/percer.php?login=ODMuMA==
It also connects to the following remote site should the affected user chooses to purchase the full version of the fake rogue product:
- http://{BLOCKED}resh.com/shop?abc=cGdpZD04JnI9ODMuMA==
For Windows ME and XP users
- previous:TROJ_RANSOM.QOWA
- Next:none
Hot Articles