Examples of Mal/FakeAV-R include:
Example 1
Other vendor detection
- Avira
- ADSPY/AdSpy.Gen
- Kaspersky
- not-a-virus:FraudTool.Win32.PcPrivacyCleaner.v
- Trend
- Mal_FakeAV-12
Runtime Analysis
Copies Itself To
- C:\Program Files\VirusRemover2008\VRM2008.exe
Dropped Files
- c:\Documents and Settings\test user\Desktop\VirusRemover2008.lnk
- Size
- 697
- SHA-1
- 6c2dd3c59962db65f39abe99b04b55cb2498db6e
- MD5
- ccb37f5ad1aec175bd1b11f7d7f6cb8d
- CRC-32
- 4cd79ee0
- File type
- application/octet-stream
- First seen
- 2011-02-03
- C:\Documents and Settings\All Users\Start Menu\Programs\VirusRemover2008\VirusRemover2008.lnk
- Size
- 709
- SHA-1
- ffd9d91438483c0d4b725a840787f39b8745c9e9
- MD5
- 4276df00237ebacafcd8a7f5ed0b5e7d
- CRC-32
- 92ba3941
- File type
- application/octet-stream
- First seen
- 2011-02-03
- c:\Documents and Settings\test user\Application Data\VirusRemover2008\Logs\scns.log
- Size
- 986
- SHA-1
- 47ef70ad03b434bc929b075023eb92b0a8858ae4
- MD5
- d140bb90c0dfafc4229218ad8a97b95f
- CRC-32
- e2bb6d3d
- File type
- application/octet-stream
- First seen
- 2011-02-03
- c:\Documents and Settings\test user\Application Data\Microsoft\Internet Explorer\Quick Launch\VirusRemover2008.lnk
- Size
- 715
- SHA-1
- 34f5c3b117f80a0cee959822f211b04ac85603b4
- MD5
- a11481da33cd6f6fad21db7af8547f83
- CRC-32
- 4a198da0
- File type
- application/octet-stream
- First seen
- 2011-02-03
Registry Keys Created
- HKLM\SOFTWARE\{5222008A-DD62-49c7-A735-7BD18ECC7350}
- Version
- 33 50 5f 56 52 4d 4e 4f
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusRemover2008
- NoModify
- 0x00000001
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- VirusRemover2008
- 43 3a 5c 50 72 6f 67 72 61 6d 20 46 69 6c 65 73 5c 56 69 72 75 73 52 65 6d 6f 76 65 72 32 30 30 38 5c 56 52 4d 32 30 30 38 2e 65 78 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
- 3P_UVRMNO 1.0.14.5
- HKLM\SOFTWARE\VirusRemover2008
- InfectionCount
- 01 00 00 00
Registry Keys Modified
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
- Administrative Tools
- c:\Documents and Settings\test user\Start Menu\Programs\Administrative Tools
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
- .NET CLR 2.0.50727
HTTP Requests
- http://download.bestvirusremover2008.com/virusremover2008.com/1.0.14.5/FreeApp_no.exe
- http://flog.bestvirusremover2008.com/
- http://fupd2.bestvirusremover2008.com/
DNS Requests
- download.bestvirusremover2008.com
- flog.bestvirusremover2008.com
- fupd2.bestvirusremover2008.com
Example 2
Other vendor detection
- Avira
- ADSPY/AdSpy.Gen
- Trend
- Mal_FakeAV-12
Runtime Analysis
Copies Itself To
- C:\Program Files\VirusRemover2008\VRM2008.exe
Dropped Files
- c:\Documents and Settings\test user\Application Data\Microsoft\Internet Explorer\Quick Launch\VirusRemover2008.lnk
- Size
- 715
- SHA-1
- b6cf2f931e3e55b1fa6d228a787ab67c2d9da97b
- MD5
- 4d2b2a6597715b389c043ff4b8c1a73b
- CRC-32
- cc3444d1
- File type
- application/octet-stream
- First seen
- 2011-02-03
- C:\Documents and Settings\All Users\Start Menu\Programs\VirusRemover2008\VirusRemover2008.lnk
- Size
- 709
- SHA-1
- 4f8cd216530c395faf95d5c94616771b0ed5b861
- MD5
- c815a19683ed91910ae20fef6bcac8f4
- CRC-32
- e9a787f9
- File type
- application/octet-stream
- First seen
- 2011-02-03
- c:\Documents and Settings\test user\Desktop\VirusRemover2008.lnk
- Size
- 697
- SHA-1
- 142afd84cb2141c4b35d92bcf5458b11cec8eb51
- MD5
- 401c2acc5ea514405343589176a25c57
- CRC-32
- 35c7d7b6
- File type
- application/octet-stream
- First seen
- 2011-02-03
Registry Keys Created
- HKLM\SOFTWARE\VirusRemover2008
- IsPaid
- 01 00 00 00
- HKLM\SOFTWARE\{5222008A-DD62-49c7-A735-7BD18ECC7350}
- Version
- 33 50 5f 56 52 4d
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusRemover2008
- UninstallString
- 22 43 3a 5c 50 72 6f 67 72 61 6d 20 46 69 6c 65 73 5c 56 69 72 75 73 52 65 6d 6f 76 65 72 32 30 30 38 5c 56 52 4d 32 30 30 38 2e 65 78 65 22 20 2d 75 6e 69 6e 73 74 61 6c 6c 00 6d 6f 76 65 72 32 30 30 38 00 20 45 78 70 6c 6f 72 65 72 5c 51 75 69 63 6b 20 4c 61 75 6e 63 68 5c 56 69 72 75 73 52 65 6d 6f 76 65 72 32 30 30 38 2e 6c 6e 6b 00 00 2e 00 00 00 00 00 4c 00 11 00 01 00 4f 00 72 00 69 00 67 00 69 00 6e 00 61 00 6c 00 46 00 69 00 6c 00 65 00 6e 00 61 00 6d 00 65 00 00 00 56 00 69 00 72 00 75 00 73 00 52 00 65 00 6d 00 84 00 19 00 65 00 72 01 e8 e6 de 01 78 01 d5 00 00 00 00 00 44 00 11 00 01 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 4e 00 61 00 6d 00 65 00 00 00 00 00 56 00 69 00 72 00 75 00 73 00 52 00 65 00 6d 00 6f 00 76 00 65 00 72 00 32 00 30 00 30 00 38 00
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- VirusRemover2008
- 43 3a 5c 50 72 6f 67 72 61 6d 20 46 69 6c 65 73 5c 56 69 72 75 73 52 65 6d 6f 76 65 72 32 30 30 38 5c 56 52 4d 32 30 30 38 2e 65 78 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
- 3P_VRM 1.0.16.5
Registry Keys Modified
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
- Administrative Tools
- c:\Documents and Settings\test user\Start Menu\Programs\Administrative Tools
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
- .NET CLR 2.0.50727
HTTP Requests
- http://log.bestvirusremover2008.com/
DNS Requests
- log.bestvirusremover2008.com