FakeRecycled

This page shows details and results of our analysis on the malware FakeRecycled

Overview

This trojan masquerades as ctfmon.exe and copies itself  in a fake Recycle Bin folder that it creates. It also tries to configure the system to execute the trojan when a remote machine tries to access a drive on infected machine via network share.

 

 


Minimum DAT

6830 (2012-09-09)

Updated DAT

6919 (2012-12-07)

Minimum Engine

5400.1158

File Length

Varies

Description Added

2006-09-27

Description Modified

2012-12-11

Malware Proliferation

Characteristics

FakeRecycled” is a worm that spreads by copying itself to system and removable drives. It creates a Fake recyclebin. 

Upon execution the Worm tries to copies itself into the following location:

  • %SYSTEMDRIVE%\Recycled\desktop.ini
  • %SYSTEMDRIVE%\Recycled\INFO2
  • %SYSTEMDRIVE%\Recycled\Recycled\ctfmon.exe
  • %UserProfile%\Start Menu\Programs\Startup\ctfmon.exe

The above File path confirms that the Trojan load itself upon system boot

  • [Removable Drive]:\Recycled\Recycled\ctfmon.exe
  • %SYSTEMDRIVE%\autorun.inf [Detected as Generic!atr]
  •  [Removable Drive]:\autorun.inf [Detected as Generic!atr]

This worm also attempts to create an autorun.inf file on the root of any accessible disk volumes:

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the worm file via the following command syntax.

  • [autorun]
  • shellexecute=Recycled\Recycled\ctfmon.exe
  • shell\Open(&O)\command=Recycled\Recycled\ctfmon.exe
  • shell=Open(&0)


----------Updated on 09-Sep-2006--------------------------------------------------------------------------------------------------------------------------------------------

This trojan purports to be a legitimate file ctfmon.exe by its name and icon. It copies itself  in a fake Recycle Bin folder that it creates. It also tries to configure the system to execute the trojan when a remote machine tries to access a drive on infected machine via network share.

On execution this malware adds the following files and folders on each drive

    • %Drive%:\autorun.inf
    • %Drive%:\Recycled\desktop.ini
    • %Drive%:\Recycled\INFO2
    • %Drive%:\Recycled\Recycled\ctfmon.exe

Where %Drive% represents the Drive Letters.

The contents of desktop.ini file are:
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}

This causes windows to think that this folder contains recycle bin data. Desktop.ini is created as a hidden system file.


The contents of the autorun.inf file are:
[autorun]
shellexecute=Recycled\Recycled\ctfmon.exe
shell\Open(&O)\command=Recycled\Recycled\ctfmon.exe
shell=Open(&0)

Now if the folder in which this autorun.inf resides is shared and set for autoplay, then any remote computer accessing this share will end up executing the trojan file and getting infected too in a similar manner. This autorun.inf file also overrides the "open" command of the context menu (displayed on right click) to run the trojan when a user right-clicks and selects open.

 

Symptoms

  • Presence of files and folders as described
  • Presence of autorun.inf at the root of all drives with contents as discussed

Method of Infection

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants