Name:

Trojan.FakeAV.aa

Added:

May 5, 2011

Type:

Trojan

Risk:

Low

Payload:

N/A

At risk systems:

Windows 95/98/ME/XP/NT/2003

Description:

When Trojan.FakeAV.aa is executed, it performs the following activities:

It installs a fake security program called AntiVirus AntiSpyware 2011. The installed application is designed to look and act as a legitimate program. Once installed, it displays fake security alerts and messages.



It will drop the following files:

%Temp%\_1.tmp
%Temp%\tryh-blv.exe
%Temp%\g_dx234.exe
%Temp%\wwautrsd.exe
%Temp%\wefgetn_00.exe
%Temp%\protector2.exe
%Temp%\safe.exe
%Temp%\ae0965a7157cd.exe
%Temp%\jofcdks.exe
%Temp%\kn.a.exe
%Temp%\hodeme.exe
%Temp%\hvipws9.exe
%Temp%\qwedvor.exe
%Temp%\hiphop.exe
%Temp%\fe.exe
%Temp%\ppddfcfux.exxe
%Temp%\cowceb.exe
%Temp%\poertd.exe
%Temp%\jkfuckfu.exe
%Temp%\lols.exe
%Temp%\kjh102k3.exe
%Temp%\1iowieoo.exe
%Application Data%\AntiVirus_AntiSpyware_2011\AntiVirus AntiSpyware.exe
%Application Data%\AntiVirus_AntiSpyware_2011\securitymanager.exe
%Application Data%\AntiVirus_AntiSpyware_2011\securityhelper.exe

It also creates/modifies the following registry entries:

AntiVirus_AntiSpyware_2011 = ""%Application Data%\
AntiVirus_AntiSpyware_2011\AntiVirus AntiSpyware.exe" /STARTUP"
HKU\Software\Microsoft\Windows\CurrentVersion\Run

AntiVirus AntiSpyware 2011 Security = "%Application Data%\
AntiVirus_AntiSpyware_2011\securitymanager.exe"
HKU\Software\Microsoft\Windows\CurrentVersion\Run

It connects to malicious websites to download other malware.