FakeAV.Win32.FakeXPA_64eeefff67

by malwarelabrobot on November 25th, 2013 in Malware Descriptions.

Trojan.Generic.6779300 (BitDefender), Rogue:Win32/FakeXPA (Microsoft), Trojan.Win32.FakeAV.qlk (Kaspersky), Trojan.Win32.Generic.pak!cobra (VIPRE), Trojan.Generic.6779300 (B) (Emsisoft), FakeAlert-CN.gen.t (McAfee), WS.Reputation.1 (Symantec), Trojan.Fakealert (Ikarus), Trojan.Generic.6779300 (FSecure), FakeAlert.AAP (AVG), Win32:Malware-gen (Avast), TROJ_FAKEAV_000036d.TOMA (TrendMicro)
Behaviour: Trojan, Fake-AV


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 64eeefff673a9ab54d060842430be2b7
SHA1: f4e7ad588ed945fbf3892237b25e674188a8984f
SHA256: 21810320f4220e0a395edb0ea5a4119cd7a5628476cd85e32d865400f534f8df
SSDeep: 196608:tGd M lO0MYYYmHPYYYYoYYYkuYYYVYYYYuYYYYYYtYYYF4YYYYYYYYYFLIcMUVz:A McODYYYGYYYYoYYY3YYYVYYYYuYYY/
Size: 10508553 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: AirInstaller
Created at: 2010-10-08 18:33:05


Summary:

FakeAV programs generate exaggerated threat reports on the compromised computer then ask the user to purchase a registered version to remove those reported threats.

Payload

No specific payload has been found.

Process activity

The FakeAV creates the following process(es):

The FakeAV injects its code into the following process(es):

%original file name%.exe:2748

File activity

The process %original file name%.exe:2748 makes changes in the file system.
The FakeAV creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Dfc\Config (1283 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\78.tmp (1282 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GDIPFONTCACHEV1.DAT (18432 bytes)

The FakeAV deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\79.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\78.tmp (0 bytes)

Registry activity

The process %original file name%.exe:2748 makes changes in the system registry.
The FakeAV creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\GDIPlus]
"FontCachePath" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 31 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 FE BB D5 B0 07 1B 30 86 B6 C7 C2 1A CF 4C 82"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

The FakeAV modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The FakeAV modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The FakeAV modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The FakeAV deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]

The FakeAV deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Network activity (URLs)

No activity has been detected.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Screenshot


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate the original FakeAV's process (How to End a Process With the Task Manager).
  2. Delete the original FakeAV file.
  3. Delete or disinfect the following files created/modified by the FakeAV:

    %Documents and Settings%\%current user%\Local Settings\Application Data\Dfc\Config (1283 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\78.tmp (1282 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\GDIPFONTCACHEV1.DAT (18432 bytes)

  4. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.