XP Internet Security 2012. FakeAV trend continues. (Jul 14, 2011)

The Sonicwall UTM research team received reports of a FakeAV called XP Internet Security 2012. FakeAV software of this nature continues to be a steady growing trend and has been covered in some of our previous SonicALERTs. Once infected, this software will disable the Windows firewall, Windows automatic updates and Windows Security Center antivirus notifications. It will then proceed with its campaign to sell the software to the infected victim.

The Trojan performs the following DNS query:

hises{removed}.com

The Trojan brings up the following fake system scan dialogs a few seconds after infection:

The Trojan periodically brings up the following messages in an attempt to encourage the user to buy the software:

The Trojan makes the following GET request to a remote webserver (hises{removed}.com):

The Trojan was seen receiving the following data in response to the above GET request:

The Trojan creates the following files on the filesystem:

• C:Documents and Settings{USER}Local SettingsApplication Datauwk.exe
• C:Documents and SettingsAll UsersApplication Datac1xisgac1m22i0vav24c46v8xoky2du4
• C:Documents and Settings{USER}Local SettingsApplication Datac1xisgac1m22i0vav24c46v8xoky2du4
• C:Documents and Settings{USER}Local SettingsApplication Datac1xisgac1m22i0vav24c46v8xoky2du4
• C:Documents and Settings{USER}Local SettingsTempc1xisgac1m22i0vav24c46v8xoky2du4
• C:Documents and Settings{USER}Templatesc1xisgac1m22i0vav24c46v8xoky2du4

The Trojan creates the following registry keys in the Windows registry:

Enable startup:

• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun 453461717 "C:Documents and Settings{USER}Local SettingsApplication Datauwk.exe"

Shell spawning:

• HKEY_CLASSES_ROOT.exeshellopencommand @ ""C:Documents and Settings{USER}Local SettingsApplication Datauwk.exe"
• HKEY_CURRENT_USERSoftwareClasses.exeshellopencommand @ ""C:Documents and Settings{USER}Local SettingsApplication Datauwk.exe"
• HKEY_CURRENT_USERSoftwareClassesexefileshellopencommand @ ""C:Documents and Settings{USER}Local SettingsApplication Datauwk.exe"

Disable windows firewall and notifications:

• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyDomainProfile EnableFirewall dword:00000000
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyDomainProfile DoNotAllowExceptions dword:00000000
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyDomainProfile DisableNotifications dword:00000001
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfile EnableFirewall dword:00000000
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfile DoNotAllowExceptions dword:00000000
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfile DisableNotifications dword:00000001

The Trojan makes the following registry modifications:

Disable windows antivirus check and notifications:

• HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center AntiVirusDisableNotify dword:00000000 dword:00000001
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center FirewallDisableNotify dword:00000000 dword:00000001
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center UpdatesDisableNotify dword:00000000 dword:00000001
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center AntiVirusOverride dword:00000000 dword:00000001
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center FirewallOverride dword:00000000 dword:00000001

The Trojan deletes everything under the following registry keys to disable Windows automatic updates:

• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WUAUSERV
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswuauserv

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

• GAV: Kryptik.QFG (Trojan)
• GAV: Kryptik.QFG_2 (Trojan)