Fake-AV.Win32.FakeRean_e1f98f39fe

by malwarelabrobot on October 27th, 2013 in Malware Descriptions.

Susp_Dropper (Kaspersky), FraudTool.Win32.FakeRean.i (v) (VIPRE), Trojan.Fakealert!IK (Emsisoft), Fake-AV.Win32.FakeRean.2.FD, FakeAVWin32FakeRean.YR (Lavasoft MAS)
Behaviour: Trojan, Fake-AV


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: e1f98f39fed1726f9092c33539a647fa
SHA1: 5ba4e8d0b17dc43469bc37b879d87d20ddb3b3c2
SHA256: b2f2bf865fde14cd8e533b2d81f6ceeb9cc14d4daa7c3b675db87a5d1f5ef2d0
SSDeep: 6144:HrV6eUYpgSofir0twwD26EfgOX34xZ2T:HxBpgSojfKXYOo
Size: 335872 bytes
File type: DLL
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualCv71EXE, UPolyXv05_v6
Company: InstallX, LLC
Created at: 2011-06-08 02:23:19


Summary:

Fake-AV. FakeAV programs generate exaggerated threat reports on the compromised computer then ask the user to purchase a registered version to remove those reported threats.

Payload

No specific payload has been found.

Process activity

The Fake-AV creates the following process(es):

regsvr32.exe:2696
ctfmon.exe:252

The Fake-AV injects its code into the following process(es):

oqc.exe:2800

File activity

The process regsvr32.exe:2696 makes changes in a file system.
The Fake-AV creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\oqc.exe (1616 bytes)

The process oqc.exe:2800 makes changes in a file system.
The Fake-AV creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\1073mxiwe3s834qihl7d1kpwd8g5i2rw2r0j17 (170 bytes)
%Documents and Settings%\%current user%\Templates\1073mxiwe3s834qihl7d1kpwd8g5i2rw2r0j17 (170 bytes)
%Documents and Settings%\All Users\Application Data\1073mxiwe3s834qihl7d1kpwd8g5i2rw2r0j17 (170 bytes)
%System%\wbem\Logs\wbemprox.log (4587 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1073mxiwe3s834qihl7d1kpwd8g5i2rw2r0j17 (170 bytes)

The Fake-AV deletes the following file(s):

C:\e1f98f39fed1726f9092c33539a647fa.dll (0 bytes)

Registry activity

The process regsvr32.exe:2696 makes changes in a system registry.
The Fake-AV creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD A2 5B A3 95 10 D6 1C DF 0D 22 EA 33 3B A6 67"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = "0"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DoNotAllowExceptions" = "0"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

The following service is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess]
"Start" = "4"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

The process ctfmon.exe:252 makes changes in a system registry.
The Fake-AV deletes the following value(s) in system registry:
The Fake-AV disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"

The process oqc.exe:2800 makes changes in a system registry.
The Fake-AV creates and/or sets the following values in system registry:

[HKCU\Software\Classes\exefile\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\oqc.exe -a %1 %*"

[HKCU\Software\Classes\exefile\shell\runas\command]
"IsolatedCommand" = "%1 %*"

[HKCU\Software\Classes\exefile]
"(Default)" = "Application"

[HKCU\Software\Classes\.exe\shell\runas\command]
"IsolatedCommand" = "%1 %*"

[HKLM\SOFTWARE\Clients\StartMenuInternet]
"(Default)" = "IEXPLORE.EXE"

[HKCU\Software\Classes\exefile\shell\open\command]
"IsolatedCommand" = "%1 %*"

[HKCU\Software\Classes\.exe\shell\runas\command]
"(Default)" = "%1 %*"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKCU\Software\Classes\exefile\shell\runas\command]
"(Default)" = "%1 %*"

[HKCU\Software\Classes\exefile]
"Content Type" = "application/x-msdownload"

[HKCU\Software\Classes\.exe\shell\open\command]
"IsolatedCommand" = "%1 %*"

[HKCU\Software\Classes\.exe]
"(Default)" = "exefile"

[HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\oqc.exe -a %Program Files%\Internet Explorer\iexplore.exe"

[HKCU\Software\Classes\exefile\DefaultIcon]
"(Default)" = "%1"

[HKCU\Software\Microsoft\Windows]
"Identity" = "507094562"

[HKCU\Software\Classes\.exe\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\oqc.exe -a %1 %*"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 C2 CB 6C 60 84 9C D4 82 16 21 A6 71 E2 CC 8B"

[HKCU\Software\Classes\.exe\DefaultIcon]
"(Default)" = "%1"

[HKCU\Software\Clients\StartMenuInternet]
"(Default)" = "IEXPLORE.EXE"

[HKCU\Software\Classes\.exe]
"Content Type" = "application/x-msdownload"

To automatically run itself each time Windows is booted, the Fake-AV adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"1218735347" = "%Documents and Settings%\%current user%\Local Settings\Application Data\oqc.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe" = "%System%\ctfmon.exe"

Network activity (URLs)

URL IP
hxxp://ralexezoj.com/1024000113 208.73.211.246
tijusenenoqije.com Unresolvable
pegabafifid.com Unresolvable


Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    regsvr32.exe:2696

  2. Delete the original Fake-AV file.
  3. Delete or disinfect the following files created/modified by the Fake-AV:

    %Documents and Settings%\%current user%\Local Settings\Application Data\oqc.exe (1616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\1073mxiwe3s834qihl7d1kpwd8g5i2rw2r0j17 (170 bytes)
    %Documents and Settings%\%current user%\Templates\1073mxiwe3s834qihl7d1kpwd8g5i2rw2r0j17 (170 bytes)
    %Documents and Settings%\All Users\Application Data\1073mxiwe3s834qihl7d1kpwd8g5i2rw2r0j17 (170 bytes)
    %System%\wbem\Logs\wbemprox.log (4587 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1073mxiwe3s834qihl7d1kpwd8g5i2rw2r0j17 (170 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "1218735347" = "%Documents and Settings%\%current user%\Local Settings\Application Data\oqc.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe" = "%System%\ctfmon.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.