Fake-AV.Win32.FakeRean_ae75a66d13
HEUR:Trojan.Win32.Generic (Kaspersky), FraudTool.Win32.FakeRean.k (v) (VIPRE), Trojan.Win32.FakeAV!IK (Emsisoft), Fake-AV.Win32.FakeRean.2.FD, FakeAVWin32FakeRean.YR (Lavasoft MAS)
Behaviour: Trojan, Fake-AV
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: ae75a66d132d8051c5a8478795d86227
SHA1: 1c070fa28a00f14a5a184cf85a8468e028151d37
SHA256: f5eb2ce34f59422456007dc0e50e9b6b399c22d592c69bd789804898640c2a48
SSDeep: 6144:ejMxo5X8VEq 2SEkhPZRaO4oP1ku2bMiRSgGCUJemerjljZLepqL4Qp:ejMmVqJStUToP1DW0gGCQeLjZLSqk
Size: 344064 bytes
File type: PE32
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualCv71EXE, UPolyXv05_v6
Company: no certificate found
Created at: 2009-07-03 13:32:03
Summary:
Fake-AV. FakeAV programs generate exaggerated threat reports on the compromised computer then ask the user to purchase a registered version to remove those reported threats.
Payload
No specific payload has been found.
Process activity
The Fake-AV creates the following process(es):
ae75a66d132d8051c5a8478795d86227.exe:616
The Fake-AV injects its code into the following process(es):
aei.exe:1596
File activity
The process aei.exe:1596 makes changes in a file system.
The Fake-AV creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\4708p5ono2oqxsqqye1usj8fgc0r10nfj8c (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4708p5ono2oqxsqqye1usj8fgc0r10nfj8c (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\4708p5ono2oqxsqqye1usj8fgc0r10nfj8c (15 bytes)
%System%\wbem\Logs\wbemprox.log (75 bytes)
%Documents and Settings%\%current user%\Templates\4708p5ono2oqxsqqye1usj8fgc0r10nfj8c (15 bytes)
The Fake-AV deletes the following file(s):
C:\ae75a66d132d8051c5a8478795d86227.exe (0 bytes)
The process ae75a66d132d8051c5a8478795d86227.exe:616 makes changes in a file system.
The Fake-AV creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\aei.exe (1625 bytes)
Registry activity
The process aei.exe:1596 makes changes in a system registry.
The Fake-AV creates and/or sets the following values in system registry:
[HKCU\Software\Classes\exefile\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\aei.exe -a %1 %*"
[HKCU\Software\Classes\exefile\shell\runas\command]
"IsolatedCommand" = "%1 %*"
[HKCU\Software\Classes\exefile]
"(Default)" = "Application"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Clients\StartMenuInternet]
"(Default)" = "IEXPLORE.EXE"
[HKCU\Software\Classes\exefile\shell\open\command]
"IsolatedCommand" = "%1 %*"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
[HKCU\Software\Classes\exefile\shell\runas\command]
"(Default)" = "%1 %*"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Classes\.exe\shell\open\command]
"IsolatedCommand" = "%1 %*"
[HKCU\Software\Classes\exefile\DefaultIcon]
"(Default)" = "%1"
[HKCU\Software\Classes\.exe]
"(Default)" = "exefile"
[HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\aei.exe -a %Program Files%\Internet Explorer\iexplore.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Classes\exefile]
"Content Type" = "application/x-msdownload"
[HKCU\Software\Classes\.exe\shell\runas\command]
"(Default)" = "%1 %*"
[HKCU\Software\Classes\.exe\shell\runas\command]
"IsolatedCommand" = "%1 %*"
[HKCU\Software\Microsoft\Windows]
"Identity" = "1681512882"
[HKCU\Software\Classes\.exe\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\aei.exe -a %1 %*"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 34 3F D7 D7 4C F7 DD 43 39 90 F7 87 AF D8 62"
[HKCU\Software\Classes\.exe\DefaultIcon]
"(Default)" = "%1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Classes\.exe]
"Content Type" = "application/x-msdownload"
The process ae75a66d132d8051c5a8478795d86227.exe:616 makes changes in a system registry.
The Fake-AV creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 AA AC 10 A9 2E 7F 92 EE 9C 56 CF 6C 0E 34 94"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = "0"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DoNotAllowExceptions" = "0"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
To automatically run itself each time Windows is booted, the Fake-AV adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe" = "%System%\ctfmon.exe"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
The following service is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess]
"Start" = "4"
To automatically run itself each time Windows is booted, the Fake-AV adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"849613667" = "%Documents and Settings%\%current user%\Local Settings\Application Data\aei.exe"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://nyharucukom.com/1034000513 |  69.43.161.174 |
| retisuqat.com |  Unresolvable |
| zukifinyve.com | Unresolvable |
| dekyzymykir.com | Unresolvable |
| wapuqiqaqom.com | Unresolvable |
| todizubosox.com | Unresolvable |
| sexajuruvesik.com | Unresolvable |
| nituxygusu.com | Unresolvable |
| pylabarywip.com | Unresolvable |
| hisesuloh.com | Unresolvable |
| cafidylyjilox.com | Unresolvable |
| kysymysafamy.com | Unresolvable |
| tudidawajyvaf.com | Unresolvable |
Rootkit activity
No anomalies have been detected.
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
ae75a66d132d8051c5a8478795d86227.exe:616
- Delete the original Fake-AV file.
- Delete or disinfect the following files created/modified by the Fake-AV:
%Documents and Settings%\All Users\Application Data\4708p5ono2oqxsqqye1usj8fgc0r10nfj8c (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4708p5ono2oqxsqqye1usj8fgc0r10nfj8c (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\4708p5ono2oqxsqqye1usj8fgc0r10nfj8c (15 bytes)
%System%\wbem\Logs\wbemprox.log (75 bytes)
%Documents and Settings%\%current user%\Templates\4708p5ono2oqxsqqye1usj8fgc0r10nfj8c (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\aei.exe (1625 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe" = "%System%\ctfmon.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"849613667" = "%Documents and Settings%\%current user%\Local Settings\Application Data\aei.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
