Troj/FakeAV-BAH

Category: Viruses and Spyware Protection available since:24 Mar 2010 01:03:51 (GMT)
Type: Trojan Last Updated:19 Nov 2010 17:45:15 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/FakeAV-BAH is a Trojan for the Windows platform.

Troj/FakeAV-BAH May install itself to the local user's %APPLICATION DATA% folder as any of the following names:
  av.exe
  ave.exe
  vma.exe

The malware sets the following registry entries to ensure it is executed when other software is started.

HKCU\Software\Classes\.exe\shell\open\command\
  <path_to_malware> /START "%1" %*

HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\
  <path_to_malware> /START "C:\Program Files\Internet Explorer\iexplore.exe"

HKCU\Software\Classes\secfile\shell\open\command\
  <path_to_malware> /START "%1" %*


Disables notifications from the Windows Security Center for Anti-Virus and firewall notifications:

HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusOverride
0x00000001

HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride
0x00000001

Opens up remote access to the infected computer by disabling Windows firewall:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall
0x00000000

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions
0x00000000

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications
0x00000001

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions
0x00000000

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications
0x00000001

The malware may attempt to contact any of the following websites:
pc-livecare2010 .com
pc-livecare .com
pc-live-care .com
pc-live-care2010 .com
live-pc-care .com
securitypc-care .com
security-pccare .com
one-care-antivirus .com
win-live-care2010 .com
windows-live-care .com
live-pccare .com
onecare-antivirus2010 .com
antivirus-one-care2010 .com
winlive-care21 .com
win-live-care .com
securitypccare .com
ebuntosakert .com
opasewascert .com
cavertunelo .com
lionavertunad .com
skadertubalin .com
sakertuberade .com
pondavertuga .com
acertubalino .com
tulibonerduma .com
asertubarilos .com
ufertugalion .com
asertunadovk .com

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy