Fake-AV.Win32.FakeRean_2320b1f942

by malwarelabrobot on August 17th, 2013 in Malware Descriptions.

Trojan.Win32.FakeAV.puzy (Kaspersky), VirTool.Win32.Obfuscator.da!j (v) (VIPRE), Trojan-PSW.Win32.Tepfer!IK (Emsisoft), Fake-AV.Win32.FakeRean.2.FD, FakeAVWin32FakeRean.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Fake-AV, VirTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 2320b1f94271ba77573fc4696e1430da
SHA1: 917e49570504f4549b8e5071c96cb4f039885d60
SHA256: 24b5c64c65697a86ba57b77353b16230ea132d030695904ab1af9de7e65d849a
SSDeep: 3072:9gon6/HBq3qAdGhS4k5p5pU4T4B jca8Wz/9DMFIW925pOLA/hmqVvTVLC4HTkwx:Go Bq3qnop535 Wzmw5pSqpheLwes
Size: 204486 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-07-25 15:12:41


Summary:

Fake-AV. FakeAV programs generate exaggerated threat reports on the compromised computer then ask the user to purchase a registered version to remove those reported threats.

Payload

No specific payload has been found.

Process activity

The Fake-AV creates the following process(es):

2320b1f94271ba77573fc4696e1430da.exe:544

The Fake-AV injects its code into the following process(es):

puw.exe:968

File activity

The process 2320b1f94271ba77573fc4696e1430da.exe:544 makes changes in a file system.
The Fake-AV creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\puw.exe (204 bytes)

The process puw.exe:968 makes changes in a file system.
The Fake-AV creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Templates\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl (1144 bytes)
%Documents and Settings%\All Users\Application Data\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl (1144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl (1144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl (1144 bytes)

The Fake-AV deletes the following file(s):

C:\2320b1f94271ba77573fc4696e1430da.exe (0 bytes)

Registry activity

The process 2320b1f94271ba77573fc4696e1430da.exe:544 makes changes in a system registry.
The Fake-AV creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 9F 27 1F F1 48 C1 E4 E1 08 7F 4E 03 53 01 28"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = "0"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DoNotAllowExceptions" = "0"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

The following service is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess]
"Start" = "4"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

The process puw.exe:968 makes changes in a system registry.
The Fake-AV creates and/or sets the following values in system registry:

[HKCU\Software\Classes\exefile\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\puw.exe -a %1 %*"

[HKCU\Software\Classes\exefile\shell\runas\command]
"IsolatedCommand" = "%1 %*"

[HKCU\Software\Classes\exefile]
"(Default)" = "Application"

[HKCU\Software\Classes\.exe\shell\runas\command]
"IsolatedCommand" = "%1 %*"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Clients\StartMenuInternet]
"(Default)" = "IEXPLORE.EXE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Classes\exefile\shell\open\command]
"IsolatedCommand" = "%1 %*"

[HKCU\Software\Classes\.exe\shell\runas\command]
"(Default)" = "%1 %*"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKCU\Software\Classes\exefile\shell\runas\command]
"(Default)" = "%1 %*"

[HKCU\Software\Classes\exefile]
"Content Type" = "application/x-msdownload"

[HKCU\Software\Classes\.exe\shell\open\command]
"IsolatedCommand" = "%1 %*"

[HKCU\Software\Classes\.exe]
"(Default)" = "exefile"

[HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\puw.exe -a %Program Files%\Internet Explorer\iexplore.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Classes\exefile\DefaultIcon]
"(Default)" = "%1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows]
"Identity" = "3044072876"

[HKCU\Software\Classes\.exe\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\puw.exe -a %1 %*"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF AB C6 AF D9 37 72 2D 37 BB 5A 43 1C 2A B6 0A"

[HKCU\Software\Classes\.exe\DefaultIcon]
"(Default)" = "%1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Classes\.exe]
"Content Type" = "application/x-msdownload"

The Fake-AV modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Fake-AV modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Fake-AV modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Fake-AV adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe" = "%System%\ctfmon.exe"

The Fake-AV deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

Network activity (URLs)

URL IP
hxxp://84.22.104.243/ab738bbrherniiaicsrhcp814ndb607edi81f7fd3789
hxxp://84.22.104.243/91c6b7ekk7lo4ddm9ffh1imchp4j8ef5bjb3f3a1f6f0
hxxp://84.22.104.243/9e1chh8ekgi9ccckcite9jg7hrek15g0el8841f1c258
hxxp://mailsdeadsnetsf4.info/data.exe 84.22.104.244
hxxp://84.22.104.243/45d8da1sadf85kbljnfi3b72eogh7dgbeb45ac049beb
hxxp://84.22.104.243/3066ba2qgbkn9men5sp44mlb4sene641kl77a2cb2129
hxxp://84.22.104.243/064278bk6gs3bidjhdre8ed3eeah8c51dcfa4ec9e993
hxxp://84.22.104.243/9ad5abcsg8ndd9dg9ff71lf5hr5d6d35ijd08fa88536
hxxp://84.22.104.243/f15fk54oj8gdag9egmm76hibaj7lf7538e6d621203ce
hxxp://84.22.104.243/6e516g3pfba5fcefdrfc5cmfhg8l379egde907d1d3d1
microsoft.com 65.55.58.201


Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    2320b1f94271ba77573fc4696e1430da.exe:544

  2. Delete the original Fake-AV file.
  3. Delete or disinfect the following files created/modified by the Fake-AV:

    %Documents and Settings%\%current user%\Local Settings\Application Data\puw.exe (204 bytes)
    %Documents and Settings%\%current user%\Templates\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl (1144 bytes)
    %Documents and Settings%\All Users\Application Data\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl (1144 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl (1144 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl (1144 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe" = "%System%\ctfmon.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now