MD5: 19fbd6ef76784f7ca3506a04614ea7de
SHA1: b24f771cbf8540ff54e09f4cd8e8e15b38ee0d94
SHA256: a624481deaa74b9e53ec7bbcbf7536b5b662ed551e5d742ae385620952e677be
SSDeep: 6144:7O/CIsphl2lGlVimnVSvL8dsK1cUil2T7Wmcy8CwOL80u6yDnYD:XD4Gl7nYv21cM/vcyJBRD
Size: 339968 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualCv71EXE, UPolyXv05_v6
Company: no certificate found
Created at: 2008-04-13 21:33:31
Analyzed on: WindowsXP SP3 32-bit

Summary:

Fake-AV. FakeAV programs generate exaggerated threat reports on the compromised computer then ask the user to purchase a registered version to remove those reported threats.

Payload

No specific payload has been found.

Process activity

The Fake-AV creates the following process(es):

%original file name%.exe:1888

The Fake-AV injects its code into the following process(es):

pau.exe:2016

File activity

The process pau.exe:2016 makes changes in the file system.
The Fake-AV creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\2473r6jx4l743x0v26 (1173 bytes)
%Documents and Settings%\%current user%\Templates\2473r6jx4l743x0v26 (1173 bytes)
%Documents and Settings%\All Users\Application Data\2473r6jx4l743x0v26 (1173 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2473r6jx4l743x0v26 (1173 bytes)

The Fake-AV deletes the following file(s):

C:\%original file name%.exe (0 bytes)

The process %original file name%.exe:1888 makes changes in the file system.
The Fake-AV creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\pau.exe (1620 bytes)

Registry activity

The process pau.exe:2016 makes changes in the system registry.
The Fake-AV creates and/or sets the following values in system registry:

[HKCU\Software\Classes\exefile\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\pau.exe -a %1 %*"

[HKCU\Software\Classes\exefile\shell\runas\command]
"IsolatedCommand" = "%1 %*"

[HKCU\Software\Classes\exefile]
"(Default)" = "Application"

[HKCU\Software\Classes\.exe\shell\runas\command]
"IsolatedCommand" = "%1 %*"

[HKLM\SOFTWARE\Clients\StartMenuInternet]
"(Default)" = "IEXPLORE.EXE"

[HKCU\Software\Classes\exefile\shell\open\command]
"IsolatedCommand" = "%1 %*"

[HKCU\Software\Classes\.exe\shell\runas\command]
"(Default)" = "%1 %*"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKCU\Software\Classes\exefile\shell\runas\command]
"(Default)" = "%1 %*"

[HKCU\Software\Classes\exefile]
"Content Type" = "application/x-msdownload"

[HKCU\Software\Classes\.exe\shell\open\command]
"IsolatedCommand" = "%1 %*"

[HKCU\Software\Classes\.exe]
"(Default)" = "exefile"

[HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\pau.exe -a %Program Files%\Internet Explorer\iexplore.exe"

[HKCU\Software\Classes\exefile\DefaultIcon]
"(Default)" = "%1"

[HKCU\Software\Microsoft\Windows]
"Identity" = "843588114"

[HKCU\Software\Classes\.exe\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\pau.exe -a %1 %*"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC B6 CC 6D 25 EA 82 0B 91 F1 DD F8 FE 7D EA BE"

[HKCU\Software\Classes\.exe\DefaultIcon]
"(Default)" = "%1"

[HKCU\Software\Classes\.exe]
"Content Type" = "application/x-msdownload"

To automatically run itself each time Windows is booted, the Fake-AV adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe" = "%System%\ctfmon.exe"

The process %original file name%.exe:1888 makes changes in the system registry.
The Fake-AV creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 82 50 79 9B 6C 16 F7 F7 D2 EA FE ED D3 50 EF"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
"UpdatesDisableNotify" = "1"
"FirewallOverride" = "1"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = "0"

"DoNotAllowExceptions" = "0"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

The following service is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess]
"Start" = "4"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

Network activity (URLs)

URL	IP
ricogodobekax.com	Unresolvable
symihyceqemexo.com	Unresolvable
nicynajomypy.com	Unresolvable
gilodivere.com	Unresolvable
weriloxoro.com	Unresolvable
johunyniv.com	Unresolvable
vehepumac.com	Unresolvable
nixecynuho.com	Unresolvable
marihuqavigyt.com	Unresolvable
fifotojylahe.com	Unresolvable
bafihamuxav.com	Unresolvable
ronadosim.com	Unresolvable
podojykofogu.com	Unresolvable
bucoqypynynej.com	Unresolvable
zizudadidura.com	Unresolvable
xymasehyfi.com	Unresolvable
fojexojup.com	Unresolvable

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1888

2. Delete the original Fake-AV file.
   
3. Delete or disinfect the following files created/modified by the Fake-AV:
   

   %Documents and Settings%\%current user%\Local Settings\Application Data\2473r6jx4l743x0v26 (1173 bytes)
   %Documents and Settings%\%current user%\Templates\2473r6jx4l743x0v26 (1173 bytes)
   %Documents and Settings%\All Users\Application Data\2473r6jx4l743x0v26 (1173 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\2473r6jx4l743x0v26 (1173 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\pau.exe (1620 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "ctfmon.exe" = "%System%\ctfmon.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.