BNBSFSD
10-09-2009, 05:54 AM
Win32/FakeAVDl.NO
Date Published:
6 Oct 2009
Last Updated:
6 Oct 2009
Threat Assessment
Overall Risk: Very Low
Wild: Low
Destructiveness: None
Pervasiveness: None Characteristics
Type : Trojan
Category : Win32
Also known as: Mal/EncPk-KO (Sophos), FakeAlert-HT (McAfee), TrojanDownloader:Win32/Renos.JT (MS OneCare)
Description
Win32/FakeAVDl.NO is a trojan that attempts to download rogue antivirus software and displays various fake pop-up messages and warnings of infection.
Back to top
Method of Infection
When executed Win32/FakeAVDl.NO copies itself to:
%Windir%\msa.exe
The trojan creates a scheduled task that runs msa.exe daily at 00:00 and creates the following files:
%Windir%\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job
%Windir%\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job
Note:
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
The trojan creates the following registry key:
HKCU\Software\NordBull
It may attempt to modify the following key to ensure the malware is run on system startup.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run \
The registry key is assigned either of the following values:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run \PopRock\ValueData added : "C:\<randomname>.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run \Monopod\ValueData added : "C:\<randomname>.exe"
The trojan also assigns the following values to the registry key it created earlier:
[HKCU\Software\NordBull]
"Zr3"="FOqkVtfCRxPa9g=="
"Zr0"="[long random value]"
"Zn2"=dword:000151e4
"Zn5"=dword:000151e4
"Zn3"=dword:000151e4
"Zn4"=dword:000151e4
"Zn6"=dword:00000001
"Zn0"=dword:01ca3cf1
"Zn1"=dword:d0f87850
"Zr1"=""
"Zr2"="ZuLNIa64IWuvvLI2S7mICE4O8iFnqi/6lPGZOoQgs7J0x4Dgk1NI9w=="
Note: These registry values are arbitrary and could vary from host to host.
Payload
Contacts Web Servers
Win32/FakeAVDl.NO contacts one of the following domains, possibly to download adware and/or other rogue security software:
photosphotography.com
mixamus.com
212.233.25.46
merhant.com
crl.microsoft.com
crl.verisign.com
CSC3-2004-crl.verisign.com
sugiga.com
new-search-zone.com
theimagesusa.com
kapistrutel.com
lastdomainname.com
inforavel.com
For additional information:
This trojan is usually installed in conjunction with a rogue security application
Date Published:
6 Oct 2009
Last Updated:
6 Oct 2009
Threat Assessment
Overall Risk: Very Low
Wild: Low
Destructiveness: None
Pervasiveness: None Characteristics
Type : Trojan
Category : Win32
Also known as: Mal/EncPk-KO (Sophos), FakeAlert-HT (McAfee), TrojanDownloader:Win32/Renos.JT (MS OneCare)
Description
Win32/FakeAVDl.NO is a trojan that attempts to download rogue antivirus software and displays various fake pop-up messages and warnings of infection.
Back to top
Method of Infection
When executed Win32/FakeAVDl.NO copies itself to:
%Windir%\msa.exe
The trojan creates a scheduled task that runs msa.exe daily at 00:00 and creates the following files:
%Windir%\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job
%Windir%\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job
Note:
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
The trojan creates the following registry key:
HKCU\Software\NordBull
It may attempt to modify the following key to ensure the malware is run on system startup.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run \
The registry key is assigned either of the following values:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run \PopRock\ValueData added : "C:\<randomname>.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run \Monopod\ValueData added : "C:\<randomname>.exe"
The trojan also assigns the following values to the registry key it created earlier:
[HKCU\Software\NordBull]
"Zr3"="FOqkVtfCRxPa9g=="
"Zr0"="[long random value]"
"Zn2"=dword:000151e4
"Zn5"=dword:000151e4
"Zn3"=dword:000151e4
"Zn4"=dword:000151e4
"Zn6"=dword:00000001
"Zn0"=dword:01ca3cf1
"Zn1"=dword:d0f87850
"Zr1"=""
"Zr2"="ZuLNIa64IWuvvLI2S7mICE4O8iFnqi/6lPGZOoQgs7J0x4Dgk1NI9w=="
Note: These registry values are arbitrary and could vary from host to host.
Payload
Contacts Web Servers
Win32/FakeAVDl.NO contacts one of the following domains, possibly to download adware and/or other rogue security software:
photosphotography.com
mixamus.com
212.233.25.46
merhant.com
crl.microsoft.com
crl.verisign.com
CSC3-2004-crl.verisign.com
sugiga.com
new-search-zone.com
theimagesusa.com
kapistrutel.com
lastdomainname.com
inforavel.com
For additional information:
This trojan is usually installed in conjunction with a rogue security application