Overview
Overview -
This is a detection for a trojan that displays misleading fake alerts to entice the user into buying a product to "repair" malware problems.
Aliases
- Hoax.Win32.Renos.vazh (Kaspersky)
- TrojanDownloader:Win32
|
Minimum DAT
5376 (2008-09-03) Updated DATN/A |
Minimum Engine
5.2.00 File LengthN/A |
Description Added
2008-09-04 Description Modified2008-09-04 |
Malware Proliferation
Characteristics
Characteristics -
File Property
Property Value
File Name
braviax.exe
McAfee Detection
FakeAlert.ap
Length
9,728 bytes
CRC32
7132aa96
The trojan shows the following fake warning in bubble warning:
This malware try to access the following websites :
- virus-quick-{removed}an.com
- goggl{removed}.com
And downloading the following file :
- %Windir%\system32\winivstr.exe
(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)
The following registry keys are added:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
1208 = 0x00000000
2500 = 0x00000003 - [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
1208 = 0x00000000
2500 = 0x00000003 - [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
1208 = 0x00000000
2500 = 0x00000003 - [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
1208 = 0x00000000
2500 = 0x00000003 - [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
1208 = 0x00000000
2500 = 0x00000003 - [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
Enable Browser Extensions = "yes"
Search Bar = "http://www.google.com/ie" - [HKEY_CURRENT_USER\Software\Microsoft\Security Center]
AntiVirusDisableNotify = 0x00000001
FirewallDisableNotify = 0x00000001
UpdatesDisableNotify = 0x00000001
The following registry keys are added or modified:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
Default_Search_URL = "http://www.google.com/ie"
Search Page = "http://www.google.com"
Start Page = "http://www.google.com" - [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
SearchAssistant = "http://www.google.com" - [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
1201 = 0x00000000
1804 = 0x00000001 - [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
1201 = 0x00000000 - [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
1201 = 0x00000000
1804 = 0x00000001 - [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
1201 = 0x00000000 - [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
1200 = 0x00000000
1201 = 0x00000000
1608 = 0x00000000
1804 = 0x00000001 - [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
Start Page = "http://www.google.com"
Search Page = "http://www.google.com"
To mark the presence in the system, the following Mutex object was created:
{232780427656663764673647663354632}
To test internet connectivity the following website was contacted:
Server Name Server Port
www.google.com 80
Symptoms
Method of Infection
Trojan do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include spam emails, IRC, P2P networks, newsgroup postings, etc.
Removal
Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.
Variants