Name:

FakeAV.AntiSpywareSoft

Added:

July 11, 2010

Type:

Trojan

Risk:

Low

Payload:

N/A

At risk systems:

Windows 95/98/ME/XP/NT/2003

Description:

FakeAV.AntiSpywareSoft is dropped by malware. It gets downloaded by a user when visiting malicious Web sites.  When this file is executed, it downloads the setup of the rogueware and installs it on the machine.  It is polymorphic in behavior. Like other FraudTools, it attempts to scare users into purchasing fake security software, this time AntiSpyware Soft.  FakeAV.AntiSpyware.Soft is very similar to "Antivirus Soft". Thirtyseven4 completely removes these infections and other similar Fraudtools.



On every execution it downloads a random name .exe. in application data:
%UserProfile%\Local Settings\Application Data\[random 9 character name]\[random 7 character name]tssd.exe

The following file also gets downloaded:
%UserProfile%\Local Settings\Application Data\asam.exe


It creates / modifies the following registry keys:
HKU\Software\avsoft

HKU\Software\avsuite

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
asam ="%UserProfile%\Local Settings\Application Data\asam.exe"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[Randan 8 Char Name]="%UserProfile%\Local Settings\Application Data\[Randan 9 Char Name]\[Randan 7 Char Name]tssd.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Associations LowRiskFileTypes = ".exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Attachments SaveZoneInformation = "1"

The running processes include:

%UserProfile%\Local Settings\Application Data\[random 9 character name]\[random 7 character name]tssd.exe

%UserProfile%\Local Settings\Application Data\asam.exe