Threat Spotlight

For the week of 05 Oct 2009
Threat 1

Spam-driven Trojan hawks fake anti-virus software

Threat Name:

Trojan: Troj/Agent-LGE

Users at Risk:

Windows users

Also Known As:

  • Trend: TROJ_FAKEAV.BLV
  • Kaspersky: Trojan-Downloader.Win32.FraudLoad.wspk
  • Avira: TR/Dldr.FraudLoad.wspk
  • Symantec: Trojan.Fakeavalert

Removal Instructions:

If you believe you’ve been infected, please follow these instructions on how to remove Trojans.

About:

Troj/Agent-LGE is yet another take on spam-driven fake anti-virus infection techniques. This time the spam message says:

Dear Customer!
Thank you for ordering at our online store.
Your order: Sony VAIO A1133651A, was sent at your address.
The tracking number of your postal parcel is indicated in the document attached to this letter.
Please, print out the postal label for receiving the parcel.
Internet Store.

This spam campaign uses a botnet on compromised computers. The executable for Troj/Agent-LGE, called open.exe, is packaged inside a self-extracting zip archive attached to the spam message body. When run, the executable installs the following:

<Profile>\Application Data\seres.exe - copy of Troj/Agent-LGE
<Profile>\Application Data\svcst.exe - copy of Troj/Agent-LGE

To auto-start these copies of itself, Troj/Agent-LGE creates the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\mserv
C:\Documents and Settings\support\Application Data\seres.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost
C:\Documents and Settings\support\Application Data\svcst.exe

Troj/Agent-LGE also installs the following registry entry to reduce the system security of the victim computer:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes
zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mov;.mp3;.wav

Copies of Troj/Agent-LGE, seres.exe and svcst.exe, run in the background and display the following warning bubble on the system tray:

Your computer is infected!
Windows has detected spyware infection!
It is recomended to use special antispyware tools to pervent data loss.Windows will now download and install the most up-to-date antispyware for you.
Click here to protect your computer from spyware! [sic]

Troj/Agent-LGE then attempts to connect to multiple sites to download and execute file Install.exe, which is detected as Troj/FakeAV-ADT. Install.exe will attempt to install "Antivirus Pro 2010" on the computer.

Threat 2

Trojan diverts web surfers to fraudulent forums to sell pharma

Threat Name:

Trojan: Troj/Decdec-D

Users at Risk:

Web users

Also Known As:

  • McAfee: Exploit-IFrame.gen.c
  • Avira: HTML/Crypted.Gen

Further Reading:

Removal Instructions:

Please follow these instructions for removing Trojans.

About:

Troj/Decdec-D is a JavaScript used by attackers to redirect a web browser from a fake web forum to sites selling pharmaceuticals. The criminals use search engine optimization (SEO) techniques to ensure that their fake web forums appear high in the list of search engine results. Anyone visiting the fake site is then redirected to the sales site.

This technique is common among Partnerka affiliate sites.

Threat 3

Fake anti-virus spreads by Twitter

Threat Name:

Trojan: Troj/FakeVir-PC

Users at Risk:

Windows users

Also Known As:

  • Avira: TR/Dldr.FakeVimes.45
  • McAfee: FakeAlert-EA
  • Microsoft: TrojanDownloader:Win32/FakeVimes

Removal Instructions:

Please follow these instructions on removing Trojans.

About:

Troj/FakeVir-PC calls itself “Windows PC Defender.” It will run immediately upon installation without user consent and then mimic a security scan, telling the user their computer has multiple non-existent malware present. Tweet by tweet, social engineering attacks on Twitter facilitated the wide distribution of this fake security software.

Troj/FakeVir-PC will then ask the user to pay to register the product and have the malware removed.

When Troj/FakeVir-PC is installed it downloads and creates the file:

<Documents and Settings>AllUsers\Application Data\<Random Folder>\<Random File Name>

—where <Random Folder> and <Random File Name> are generated strings of numbers and letters, like "aaf51a5" or "WPaaf5.exe." This component is detected as Mal/FakeAV-AX.

The Trojan adds shortcuts to the desktop, start menu and quick launch menu. It also creates several files in <Documents and Settings>\user\Recent, with names like "energy.exe" or "fan.sys." These are not real executables, rather they are dummy files which the Trojan fraudulently reports as infections.

The Trojan also sets these registry entries:

HKCU\Software\Microsoft\Internet Explorer
PRS
"http://127.0.0.1:27777/?inj=%ORIGINAL%"

HKLM\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32
@=Full path to downloaded file

HKLM\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID
@=Name of downloaded file + ".DocHostUIHandler"

HKLM\SOFTWARE\Classes\<Name of MainComp>.DocHostUIHandler
@="Implements DocHostUIHandler"

HKLM\SOFTWARE\Classes\WPaaf5.DocHostUIHandler\Clsid
@="{3F2BBC05-40DF-11D2-9455-00104BC936FF}"

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List Data\<name of downloaded file>"=<Full path to downloaded file>:*:Enabled:Windows PC Defender"

HKLM\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
@="Implements DocHostUIHandler"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Windows PC Defender"
"\"<Full path to downloaded file>\" /s /d"

Troj/FakeVir-PC attempts to disable over 750 programs, both legitimate security software and other fake security software. To do this it creates registry entries such as:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
ExecutionOptions\AntivirusXP.exe
"Debugger"="svchost.exe"

Both during and after installation, the Trojan attempts to contact websites hosted at securitypath.net, mysecurityguru.cn, windowspc-defender.com and securityearth.com.

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy