Fake-AV.Win32.FakeRean_8eea10f1c4

by malwarelabrobot on August 20th, 2013 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), FraudTool.Win32.FakeRean.i (v) (VIPRE), Gen.Variant.Katusha!IK (Emsisoft), Fake-AV.Win32.FakeRean.2.FD, FakeAVWin32FakeRean.YR (Lavasoft MAS)
Behaviour: Trojan, Fake-AV


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 8eea10f1c43c8b12f1052876db99bd9c
SHA1: bcc133bdf44cbf564ba433e68ed129ff6f0bcf11
SHA256: 346b4d968d77d41fd9db484fd06fbda6315a9c42369c3337837a4d268f3b539e
SSDeep: 6144:U5p6eQhcIVZYyEzw9pf9pCQEKhEA43h2C4uvkrZT:0620Gzifn3rhQhUmk
Size: 335872 bytes
File type: DLL
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualCv71EXE, UPolyXv05_v6
Company: no certificate found
Created at: 2001-12-20 00:03:24


Summary:

Fake-AV. FakeAV programs generate exaggerated threat reports on the compromised computer then ask the user to purchase a registered version to remove those reported threats.

Payload

No specific payload has been found.

Process activity

The Fake-AV creates the following process(es):

regsvr32.exe:1124

The Fake-AV injects its code into the following process(es):

oso.exe:1600

File activity

The process regsvr32.exe:1124 makes changes in a file system.
The Fake-AV creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\oso.exe (1616 bytes)

The process oso.exe:1600 makes changes in a file system.
The Fake-AV creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\o88h5orxwc3m8d58wrdd8235mn88ckxv18i (15 bytes)
%Documents and Settings%\All Users\Application Data\o88h5orxwc3m8d58wrdd8235mn88ckxv18i (15 bytes)
%Documents and Settings%\%current user%\Templates\o88h5orxwc3m8d58wrdd8235mn88ckxv18i (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\o88h5orxwc3m8d58wrdd8235mn88ckxv18i (15 bytes)
%System%\wbem\Logs\wbemprox.log (5650 bytes)

The Fake-AV deletes the following file(s):

C:\8eea10f1c43c8b12f1052876db99bd9c.dll (0 bytes)

Registry activity

The process regsvr32.exe:1124 makes changes in a system registry.
The Fake-AV creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 06 7A 37 F3 CD CC B3 41 DF 15 FF 9D 0B D6 1F"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = "0"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DoNotAllowExceptions" = "0"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

The following service is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess]
"Start" = "4"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

The process oso.exe:1600 makes changes in a system registry.
The Fake-AV creates and/or sets the following values in system registry:

[HKCU\Software\Classes\exefile\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\oso.exe -a %1 %*"

[HKCU\Software\Classes\exefile\shell\runas\command]
"IsolatedCommand" = "%1 %*"

[HKCU\Software\Classes\exefile]
"(Default)" = "Application"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Clients\StartMenuInternet]
"(Default)" = "IEXPLORE.EXE"

[HKCU\Software\Classes\exefile\shell\open\command]
"IsolatedCommand" = "%1 %*"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKCU\Software\Classes\exefile\shell\runas\command]
"(Default)" = "%1 %*"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Classes\.exe\shell\open\command]
"IsolatedCommand" = "%1 %*"

[HKCU\Software\Classes\exefile\DefaultIcon]
"(Default)" = "%1"

[HKCU\Software\Classes\.exe]
"(Default)" = "exefile"

[HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\oso.exe -a %Program Files%\Internet Explorer\iexplore.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Classes\exefile]
"Content Type" = "application/x-msdownload"

[HKCU\Software\Classes\.exe\shell\runas\command]
"(Default)" = "%1 %*"

[HKCU\Software\Classes\.exe\shell\runas\command]
"IsolatedCommand" = "%1 %*"

[HKCU\Software\Microsoft\Windows]
"Identity" = "3065152255"

[HKCU\Software\Classes\.exe\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\oso.exe -a %1 %*"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 55 A3 0E 83 76 DB E6 5B 4F 9C 82 7E E6 00 D4"

[HKCU\Software\Classes\.exe\DefaultIcon]
"(Default)" = "%1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Classes\.exe]
"Content Type" = "application/x-msdownload"

To automatically run itself each time Windows is booted, the Fake-AV adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe" = "%System%\ctfmon.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"3761195054" = "%Documents and Settings%\%current user%\Local Settings\Application Data\oso.exe"

Network activity (URLs)

URL IP
hxxp://rytaxywika.com/1013000613 208.73.211.167
hxxp://faremewumasebe.com/1013000613 208.73.210.210
hxxp://gihunoholo.com/1013000613 208.73.210.200
samajuqurej.com Unresolvable
qoxomyjomaj.com Unresolvable
rasimyzaragyk.com Unresolvable
menusadyryraru.com Unresolvable
boxiganuw.com Unresolvable
pomalekon.com Unresolvable
panomanih.com Unresolvable
dawurowydafa.com Unresolvable
kuvufemawygu.com Unresolvable
quxynyneby.com Unresolvable
xylahavowi.com Unresolvable
zyxecipidi.com Unresolvable
xuwawuwybohym.com Unresolvable


Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    regsvr32.exe:1124

  2. Delete the original Fake-AV file.
  3. Delete or disinfect the following files created/modified by the Fake-AV:

    %Documents and Settings%\%current user%\Local Settings\Application Data\oso.exe (1616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\o88h5orxwc3m8d58wrdd8235mn88ckxv18i (15 bytes)
    %Documents and Settings%\All Users\Application Data\o88h5orxwc3m8d58wrdd8235mn88ckxv18i (15 bytes)
    %Documents and Settings%\%current user%\Templates\o88h5orxwc3m8d58wrdd8235mn88ckxv18i (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\o88h5orxwc3m8d58wrdd8235mn88ckxv18i (15 bytes)
    %System%\wbem\Logs\wbemprox.log (5650 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe" = "%System%\ctfmon.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "3761195054" = "%Documents and Settings%\%current user%\Local Settings\Application Data\oso.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.