Name:

Trojan.Wireshark.a

Added:

August 20, 2010

Type:

Trojan

Risk:

Low

Payload:

N/A

At risk systems:

Windows 95/98/ME/XP/NT/2003

Description:

When Trojan.Wireshark.a is executed, it performs the following activities:

It installs a piece of Scareware dubbed Wireshark Antivirus.  Wireshark Antivirus is developed to execute automatically on every restart. It will perform a fake scan on the system and falsely state that your machine is infected.  It will also claim that these noted infections will only be removed after you purchase a full version of the software. Wireshark Antivirus will block nearly all legitimate programs, even applications such as notepad and wordpad.  Any application attempted to be launched will be misleadingly flagged as infected. It will also display many fake alerts and pop-ups with misleading information.

Snapshot of Wireshark Antivirus:



After execution it creates the following folders:

%Userprofile%\Start Menu\Programs\Wireshark Antivirus
%Program Files%\Wireshark Antivirus

It drops the following files:

%Userprofile%\Desktop\Wireshark Antivirus.lnk
%Temp%\win2.tmp
%Temp%\win3.tmp
%Program Files%\conhost.exe
%Program Files%\csrss.exe
%Program Files%\nuar.old
%Program Files%\sh3.dat
%Program Files%\sh4.dat
%Program Files%\shk_v10.dll
%Program Files%\skynet.dat
%Program Files%\Wireshark Antivirus\Wireshark Antivirus.exe
%Program Files%\wshark.exe

It creates/modifies the following registry entries:

%Program Files%\csrss.exe
HKLM\System\ControlSet001\Services\QTUpdate\ImagePath

ObjectName = LocalSystem
DisplayName = Quicktime update
ImagePath = %Program Files%\csrss.exe
HKLM\System\ControlSet001\Services\QTUpdate

ObjectName = LocalSystem
DisplayName = Quicktime update
ImagePath = %Program Files%\csrss.exe
HKLM\System\CurrentControlSet\Services\QTUpdate

%Program Files%\conhost.exe "%1" %*
HKLM\Software\Classes\exefile\shell\open\command