Trojan.FakeAV_5d5a2cfcb8

by malwarelabrobot on March 3rd, 2014 in Malware Descriptions.

Trojan.FakeAV (Symantec), GenericInjector.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, Fake-AV


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 5d5a2cfcb887124439c5c0c8165b7a4c
SHA1: b9b2665fc06705a15a5d9f80926a644008aa4121
SHA256: 51fe86dda16a20edc5b2a9b21b0055d1e30b8be53af58070e8e522437dcda946
SSDeep: 24576:/npBQEaNd1/vMJ45ZcvHSHAS0VQUQfi8iwGrc0r21x Y5w9oaVX0:/ntuP/vT5yH2z0KUQK8iwGrV2/ YWx
Size: 1588736 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2002-02-15 05:26:48
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:2036

File activity

The process %original file name%.exe:2036 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\cosock.exe (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kilslmd.exex (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\alerfa322.exe (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ae0965a7157cd.exe (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pswwg3c.exe (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eephilpe.exe (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gedx_ae09.exe (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gpupz2a.exe (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\backd-efq.exe (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\format.exe (99 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\r0life.exe (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cocksucker.exe (82 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ddhelp.exe (74 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\snowif.exe (68 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hhbboll_2.exe (34 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bzqa43d.exe (57 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kock.exe (81 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hiphop.exe (87 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\timem.exe (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hvipws9.exe (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wqefqw7e.exe (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\472a10e2ebxd9.exe (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rtfme.exe (103 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\warsddd_w.exe (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\exppdf_w.exe (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jdhellwo3.exe (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\al3erfa3.exe (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ds7hw.exe (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\brdss.exe (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kjdh_gf_jjdhgd.exe (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hodeme.exe (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wrcud12.exe (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\safe.exe (89 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dkfjd93.exe (83 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ddoll3342.exe (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\02c9c3c35bdx5.exe (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ploper.exe (80 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qas1.tmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aqfitrlxi2.exe (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\alerfa.exe (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\56493.exe (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\htfad4.exe (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\17dkf.exe (102 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fe.exe (92 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wrfwe_di.exe (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dc_3.exe (65 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\poertd.exe (91 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dd10x10.exe (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qwedvor.exe (101 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qwklrvjhqlkj.exe (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rator.exe (69 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winlogoff.exe (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\destroyer.exe (97 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sycre.exe (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eelnvd13.exe (52 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lols.exe (95 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ppddfcfux.exxe (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lorsk.exe (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8gmsed-bd.exe (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cunifuc.exe (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hardwh.exe (71 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wergfq.exe (77 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jofcdks.exe (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\test.exe (98 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\qas1.tmp (0 bytes)

Registry activity

The process %original file name%.exe:2036 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 34 0C 65 D8 7C 50 D3 34 DE 06 EE 8D 6E 30 0D"

[HKCU\Software\Desktop Security 2010]
"LastTimeStamp" = "4294967249"
"LastUpdateDate" = "2014/1/24"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"_reg"

Network activity (URLs)

No activity has been detected.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Screenshot


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\cosock.exe (75 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kilslmd.exex (38 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\alerfa322.exe (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ae0965a7157cd.exe (48 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pswwg3c.exe (32 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\eephilpe.exe (19 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\gedx_ae09.exe (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\gpupz2a.exe (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\backd-efq.exe (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\format.exe (99 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\r0life.exe (40 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\cocksucker.exe (82 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ddhelp.exe (74 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\snowif.exe (68 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hhbboll_2.exe (34 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bzqa43d.exe (57 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kock.exe (81 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hiphop.exe (87 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\timem.exe (88 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hvipws9.exe (54 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wqefqw7e.exe (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\472a10e2ebxd9.exe (47 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\rtfme.exe (103 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\warsddd_w.exe (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\exppdf_w.exe (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jdhellwo3.exe (53 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\al3erfa3.exe (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ds7hw.exe (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\brdss.exe (72 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kjdh_gf_jjdhgd.exe (50 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hodeme.exe (94 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wrcud12.exe (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\safe.exe (89 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dkfjd93.exe (83 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ddoll3342.exe (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\02c9c3c35bdx5.exe (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ploper.exe (80 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\qas1.tmp (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aqfitrlxi2.exe (45 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\alerfa.exe (23 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\56493.exe (61 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\htfad4.exe (31 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\17dkf.exe (102 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\fe.exe (92 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wrfwe_di.exe (60 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dc_3.exe (65 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\poertd.exe (91 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dd10x10.exe (35 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\qwedvor.exe (101 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\qwklrvjhqlkj.exe (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\rator.exe (69 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\winlogoff.exe (100 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\destroyer.exe (97 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\sycre.exe (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\eelnvd13.exe (52 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\lols.exe (95 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ppddfcfux.exxe (44 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\lorsk.exe (76 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\8gmsed-bd.exe (58 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\cunifuc.exe (39 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hardwh.exe (71 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wergfq.exe (77 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jofcdks.exe (36 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\test.exe (98 bytes)

  4. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.