MD5: 6882c02d396d287ddfb3717bb717bead
SHA1: 6b624c2f75cafea9a811c3333f1d1c9e4aa5c2b9
SHA256: 51a0624bf63d13e7779c05839399bbe998aa8d6dcc7de44d1f0f2e4f3af67d73
SSDeep: 24576:0KNSUgJFquxjjhSW0L a097w8UNL12k3TruoEMtRHwhjcUX5FDRtI79RDUhTD:0pJouxjhT1N97JUek3PB7tlGgsD7I7L0
Size: 1315776 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-07-10 03:04:37
Analyzed on: WindowsXP SP3 32-bit

Summary:

Fake-AV. FakeAV programs generate exaggerated threat reports on the compromised computer then ask the user to purchase a registered version to remove those reported threats.

Payload

No specific payload has been found.

Process activity

The Fake-AV creates the following process(es):

%original file name%.exe:404

The Fake-AV injects its code into the following process(es):

svchost.exe:364

File activity

The process %original file name%.exe:404 makes changes in the file system.
The Fake-AV creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (174 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%System%\drivers\19044.sys (1333 bytes)

Registry activity

The process %original file name%.exe:404 makes changes in the system registry.
The Fake-AV creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 19 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 FF E1 A1 54 51 9A 48 66 3F D1 32 DC 96 D3 A6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\WinUltraAntivirus]
"Options" = "B0 00 00 00 76 47 FD 15 10 DA 60 08 76 BE BD 36"

The Fake-AV modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Fake-AV modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Fake-AV modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Fake-AV adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"wazibtuqtugp" = "c:\%original file name%.exe"

The Fake-AV deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Screenshot

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://taronjax.biz/
hxxp://ww9.taronjax.biz/

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET / HTTP/1.1

Accept: */*

Accept-Language: en-us

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: ww9.taronjax.biz

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 25 Apr 2014 02:18:59 GMT

Server: Apache

Set-Cookie: vsid=912vr1459379398312074; expires=Wed, 24-Apr-2019 02:18:59 GMT; path=/; domain=ww9.taronjax.biz; httponly

X-Frame-Options: DENY

X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKrfIMFkSaoTSqKmC BrghK0CpDHc0MuVzmMHin8LIORhpXbped iYhSnZurWnEO0zcKcVIrzp026LVc5pMB9bUCAwEAAQ==_PiQCuGJBQc444nooSLp6f0y6KsoCWVwp30z2b2uoiR dBADcjhoo37DYNt9OXDhtta 3pavmcwXhDUY2woIo/g==

Vary: Accept-Encoding,User-Agent

Content-Length: 1674

Keep-Alive: timeout=5, max=126

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8
  <!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIh
vcNAQEBBQADSwAwSAJBAKrfIMFkSaoTSqKmC BrghK0CpDHc0MuVzmMHin8LIORhpXbped
 iYhSnZurWnEO0zcKcVIrzp026LVc5pMB9bUCAwEAAQ==_PiQCuGJBQc444nooSLp6f0y6
KsoCWVwp30z2b2uoiR dBADcjhoo37DYNt9OXDhtta 3pavmcwXhDUY2woIo/g==" >
..<head>..    <meta http-equiv="Content-Type" content="text/h
tml; charset=UTF-8">..    <title>ww9.taronjax.biz</title&g
t;..    <style type="text/css">*{margin:0; padding:0; border: 0;
 overflow:hidden} html, body {height: 100%;}</style>..</head&
gt;..<body width="100%" height="100%">..<noscript><meta
 http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.php?
_dnm=ww9.taronjax.biz&_cfrg=1&_drid=as-drid-2785238728561422" /><
;center><p style="padding:1em; font-size:1.5em;">For search r
esults please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=ww9..

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/x-www-form-urlencoded

Content-Length: 32

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: taronjax.biz

Connection: Keep-Alive

Cache-Control: no-cache

....rn...
.[*..h

[email protected]
HTTP/1.1 302 Found

Server: nginx

Date: Fri, 25 Apr 2014 01:52:12 GMT

Content-Type: text/html

Connection: keep-alive

X-Powered-By: PHP/5.4.4-14 deb7u8

Location: hXXp://ww9.taronjax.biz

Vary: Accept-Encoding

Content-Length: 0
HTTP/1.1 302 Found..Server: nginx..Date: Fri, 25 Apr 2014 01:52:12 GMT
..Content-Type: text/html..Connection: keep-alive..X-Powered-By: PHP/5
.4.4-14 deb7u8..Location: hXXp://ww9.taronjax.biz..Vary: Accept-Encodi
ng..Content-Length: 0..

The Fake-AV connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.reloc

operator

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

2F955169-0B34-49c5-B512-9CAF1D995335

GdiplusShutdown

gdiplus.dll

SHLWAPI.dll

KERNEL32.dll

USER32.dll

GDI32.dll

RegCreateKeyA

RegOpenKeyA

RegCloseKey

ADVAPI32.dll

ole32.dll

GetCPInfo

zcÁ

.hS *

\^#%f

%@.OV;

%7XV®1

KERNEL32.DLL

mscoree.dll

svchost.exe_364_rwx_04000000_00018000:

.text

`.rdata

@.data

.rsrc

@.reloc

operator

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

2F955169-0B34-49c5-B512-9CAF1D995335

GdiplusShutdown

gdiplus.dll

SHLWAPI.dll

KERNEL32.dll

USER32.dll

GDI32.dll

RegCreateKeyA

RegOpenKeyA

RegCloseKey

ADVAPI32.dll

ole32.dll

GetCPInfo

zcÁ

.hS *

\^#%f

%@.OV;

%7XV®1

KERNEL32.DLL

mscoree.dll

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:404
   

2. Delete the original Fake-AV file.
   
3. Delete or disinfect the following files created/modified by the Fake-AV:
   

   %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (174 bytes)
   %Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
   %System%\drivers\19044.sys (1333 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "wazibtuqtugp" = "c:\%original file name%.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.