Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware
Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware
Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware

TROJAN.FAKEAV.SMARTINTERNETPROTECT

 

 

 

Name:

Trojan.FakeAV.SmartInternetProtect

Added:

February 10, 2011

Type:

Trojan

Risk:

Low

Payload:

N/A

At risk systems:

Windows 95/98/ME/XP/NT/2003

 

 

Description:

 

When Trojan.FakeaAV.acvy is executed, it performs the following activities:

It drops the following files:

C:\Documents and Settings\All Users\Application Data\b3ef0c\SIb3e_289.exe
C:\Documents and Settings\All Users\Application Data\b3ef0c\1225.mof
C:\Documents and Settings\All Users\Application Data\b3ef0c\SIP.ico
C:\Documents and Settings\All Users\Application Data\SIKYIPQP\
SIMUBKAFCBP.cfg
C:\Documents and Settings\Administrator\Start Menu\Programs\
Smart Internet Protection 2011.lnk
C:\Documents and Settings\Administrator\Start Menu\
Smart Internet Protection 2011.lnk
C:\Documents and Settings\Administrator\Desktop\
Smart Internet Protection 2011.lnk
C:\Documents and Settings\Administrator\Application Data\Microsoft\
Internet Explorer\Quick Launch\Smart Internet Protection 2011.lnk

It drops the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\agent.exe\Debugger: "svchost.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\AlphaAV\Debugger: "svchost.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\AlphaAV.exe\Debugger: "svchost.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Anti-Virus Professional.exe\Debugger: "svchost.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
\Image File Execution Options\AntispywarXP2009.exe\Debugger: "svchost.exe"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_STISVC\
0000\Control\ActiveService: "stisvc"
HKU\S-1-5-21-1123561945-1292428093-725345543-500\Software\
Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun: 0x00000001
HKU\S-1-5-21-1123561945-1292428093-725345543-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8: "avgui.exe"
HKU\S-1-5-21-1123561945-1292428093-725345543-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9: "avgtray.exe"
HKU\S-1-5-21-1123561945-1292428093-725345543-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10: "avgscanx.exe"
HKU\S-1-5-21-1123561945-1292428093-725345543-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11: "avgcfgex.exe"
HKU\S-1-5-21-1123561945-1292428093-725345543-500\Software\Microsoft\Windows\CurrentVersion\Run\Smart Internet Protection 2011: ""C:\Documents and Settings\All Users\Application Data\b3ef0c\SIb3e_289.exe" /s /d"

After execution it displays fake threat messages and forces user the to purchase the software in order to remove the fake threats:

Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware

Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware

 

 

 

 

 

 

 
Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware

Malware problems?
We can help.

Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware

Evaluate Thirtyseven4 Antivirus Now

Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware
Thirtyseven4 - Industry Leading Endpoint Security Solution

“Delight yourself in the Lord and he will give you the desires of your heart.” Psalm 37:4