Trojan.Win32.FakeAV.oyb

by alexander.adamov on May 18th, 2012 in Malware Descriptions.

Platform: Win32
Type: Trojan
Size: 414684 bytes
Language: Delphi
MD5: 005091ED437E052596323AA95A043F62
SHA1: 4A3592EEB57DF47AFCDF09D65C3B5222A5ECB5ED

Summary

Trojan.Win32.FakeAV.oyb is a Trojan program that imitates all of the functions that a typical antivirus program would perform to get a fee from users for detecting and removing non-existent threats.

Technical Details

Installation

Once launched, the malware checks the current user interface language. If the primary language identifier corresponds to one of the following values:

Assamese (as)
Gujarati (gu)
Marathi (mr)
Hindi (hi)
Malayalam (ml)
Oriya (or)
Punjabi (pa)
Kannada (kn)
Sanskrit (sa)
Konkani (kok)
Tamil (ta)
Telugu (te)
Chinese (zh)
Azeri (az)
Armenian (hy)
Belarusian (be)
Kazakh (kk)
Kyrgyz (ky)
Romanian (ro)
Bashkir (ba)
Russian (ru)
Tatar (tt)
Sakha (sah)
Tajik (tg)
Turkmen (tk)
Uzbek (uz)
Ukrainian (uk)
Georgian (ka)

the malware finishes its work by removing the registry key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"< executable file name of malware>"

and launching the command interpreter "CMD.EXE" with the following parameters:

from taskkill /f /pid <PID malware process> & ping -n 3 127.1 & del /f /q "<full path to executable file of malware >", "%USERPROFILE%\Start Menu\Programs\Security Scanner.lnk"

It deletes the shortcut:

%USERPROFILE%\Start Menu\Programs\Security Scanner.lnk

and the executable file of the Trojan once it finishes its work.

Otherwise, the malware copies itself to the following directory:

%APPDATA%\<rnd>.exe

where <rnd> is a random sequence of the Latin alphabet letters (e.g: "alpotks").

The Trojan creates a shortcut:

%USERPROFILE%\Start Menu\Programs\Security Scanner.lnk

The shortcut points to the object:

%APPDATA%\<rnd>.exe

The Trojan then launches its copy for execution with the "-f" parameter using the command interpreter "CMD.EXE". The original file of malware gets deleted.

The Trojan copy creates a registry key after each launch:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"<rnd>.exe" = "%APPDATA%\<rnd>.exe"

Thus, it provides the ability to be automatically launched each time Windows is booted.

Once the installation process is complete, the following message appears:

Payload

To control the uniqueness of its process in the system, the Trojan creates a unique identifier with the following name:

mciqtz32.dll

Once launched, the Trojan imitates a scanning process of the file system detecting non-existent threats:

Trying to remove threats detected by the Trojan, the user is prompted to activate the program:

The malware then displays a form downloaded from the intruder server where a user is invited to enter credit card information to purchase a license. When the description was created, the intruder servers were inaccessible and the form was not available:

The Trojan shows the following messages in the system tray:

The Trojan replaces the Windows Security Center with a fake imitation to notify that the activation is required:

The Trojan blocks the launch of new processes in system. Once a launched process is detected, the Trojan ends it and shows a message that the process is infected.

For example:

The Trojan connects to the servers:

46.21.155.85
46.21.156.67

Removal Recommendations

  1. Restart the computer in safe mode (press and hold the F8 key as the computer restarts, and then select “Safe Mode” on the boot menu).
  2. Delete files:
  3. %APPDATA%\<rnd>.exe
    %USERPROFILE%\Start Menu\Programs\Security Scanner.lnk

  4. Delete the registry key (How to Work with System Registry):
  5. [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "<rnd>.exe" = "%APPDATA%\<rnd>.exe"

  6. Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).