Mal/FakeAV-EI

Category: Viruses and Spyware Protection available since:16 Jul 2010 13:55:38 (GMT)
Type: Malicious behavior Last Updated:16 Jul 2010 15:35:50 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Files detected as Mal/FakeAV-EI have been generically identified as malware.

Mal/FakeAV-EI is a family of fake security software Trojans that poses as a free McAfee VirusScan. Spam campaigns distribute the most relevant members of this scareware family. The malware spreads as an attachment to fake invoice spam messages.

Subject: McAfee VirusScan Plus
Attachment: setup.zip
Message body:
Download a FREE 30-day Trial of MCAfee VirusScan Plus and Be Automaticaly Entered to Win
Installation file attached

This Fake AV has the functionality to steal confidential information.

Mal/FakeAV-EI creates registry entries under:

HKCU\Software\Desktop Security 2010

Detailed analysis

Example behaviors of Mal/FakeAV-EI follow:

Example 1

File Information

Size
145K
SHA-1
c09f777d632127db0be10bad2f87c73f82f36552
MD5
65581f18fb4f875ccf7c99b087161824
CRC-32
57399bac
File type
application/x-ms-dos-executable
First seen
2010-07-09

Other vendor detection

Avira
TR/FraudPack.azev
Kaspersky
Trojan.Win32.FraudPack.azev

Runtime Analysis

Processes Created
  • c:\windows\system32\drwtsn32.exe
  • c:\windows\system32\dwwin.exe
HTTP Requests
  • http://httpssresrun.com/httpss/v=31%26step=2%26hostid=A07FC0B01CCE94E3D8419593D3558A70
DNS Requests
  • 1278959177.httpsquer.com
  • 1278959178.httpsquer.com
  • 1278959179.httpsquer.com
  • 1278959180.httpsquer.com
  • 1278959182.httpsquer.com
  • httpssresrun.com

Example 2

File Information

Size
69K
SHA-1
4cd1ca914099f69677d9b822a91e2a050a0ac416
MD5
bc08e3fe1c83d7f522d66ec38f92dd9d
CRC-32
0ee27b13
File type
application/x-ms-dos-executable
First seen
2010-07-09

Other vendor detection

Avira
TR/FakeAV.buv
Kaspersky
Trojan.Win32.FakeAV.buv

Example 3

File Information

Size
138K
SHA-1
3ae9e7dd3f48de915b9c5589c0bbfc6ef20b2987
MD5
17848ad3e3e1b09f8d34bb6c605c31c5
CRC-32
6bb50b1a
File type
application/x-ms-dos-executable
First seen
2010-07-16

Other vendor detection

Avira
Worm/Palevo.acpo
Kaspersky
Trojan.Win32.FraudPack.azyn

Runtime Analysis

Processes Created
  • c:\windows\system32\drwtsn32.exe
  • c:\windows\system32\dwwin.exe
HTTP Requests
  • http://httpssresrun.com/httpss/v=31%26step=2%26hostid=A07FC0B01CCE94E3D8419593D3558A70
DNS Requests
  • 1284716549.httpsquer.com
  • 1284716551.httpsquer.com
  • 1284716552.httpsquer.com
  • 1284716553.httpsquer.com
  • 1284716554.httpsquer.com
  • httpssresrun.com

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy