Troj/FakeAV-GUS

Category: Viruses and Spyware Protection available since:19 Aug 2013 15:36:51 (GMT)
Type: Trojan Last Updated:18 Sep 2013 19:12:19 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/FakeAV-GUS include:

Example 1

File Information

Size
858K
SHA-1
03073d5a370b36d0eafb9fe4055a1b338a1bb801
MD5
9a006495b18144a96e85b1354c48311a
CRC-32
ce7bbf2d
File type
Windows executable
First seen
2013-08-21

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Local Settings\Temp\3.tmp
Dropped Files
  • C:\Documents and Settings\All Users\Desktop\Internet Security 2013.lnk
    Size
    819
    SHA-1
    8cdb39f0313555b0d2f61ef8e773fa667c501a03
    MD5
    fda063d86894f9913b343c20893f3460
    CRC-32
    b7bcbbff
    File type
    Windows Shortcut file (.LNK)
    First seen
    2013-08-21
  • C:\Documents and Settings\All Users\Application Data\isprotection.exe
    Size
    831K
    SHA-1
    4688aa3232f618eb72b581e0ea5f939d94caffaa
    MD5
    5c95bb69df90b25f7958bc62175b29a3
    CRC-32
    99d5e4f6
    File type
    Windows executable
    First seen
    2013-08-21
  • c:\Documents and Settings\test user\Local Settings\Temp\2.tmp
    Size
    858K
    SHA-1
    20f2d5b52eaa85b00cf320b6e93484c9d9e99c72
    MD5
    0f36e727834fa2801009b93751886baa
    CRC-32
    f9432d6b
    File type
    Windows executable
    First seen
    2013-08-21
Modified Files
  • C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
    • Set the hidden and system flags
  • C:\Documents and Settings\LocalService\Local Settings\History
    • Set the hidden and system flags
Registry Keys Created
  • HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers
    DefaultSpoolDirectory
    C:\WINDOWS\System32\spool\PRINTERS
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    DefaultConnectionSettings
    <□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@□□□□□□□□□□□□7□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    DefaultConnectionSettings
    <□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@□□□□□□□□□□□□7□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□
Registry Keys Modified
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths
    Directory
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    History
    C:\Documents and Settings\LocalService\Local Settings\History
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    SavedLegacySettings
    3c 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    History
    C:\Documents and Settings\LocalService\Local Settings\History
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    SavedLegacySettings
    3c 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Processes Created
  • c:\documents and settings\all users\application data\isprotection.exe
  • c:\windows\system32\spoolsv.exe
HTTP Requests
  • http://cinnamyn.com/images/s.php
  • http://twinkcam.net/images/s.php
DNS Requests
  • cinnamyn.com
  • twinkcam.net

Example 2

File Information

Size
838K
SHA-1
039770809e47b1c4ff18cfebc803d564f8238009
MD5
ae773b6b7675e21d77f765ed9c5fe5a8
CRC-32
6b3cfd5d
File type
Windows executable
First seen
2007-08-19

Example 3

File Information

Size
858K
SHA-1
05a32f917c54d68b0fbdb722c61818863c03bdab
MD5
79334294fb8a814da4f5995720cd4e80
CRC-32
308d8407
File type
Windows executable
First seen
2013-08-21

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Local Settings\Temp\3.tmp
Dropped Files
  • C:\Documents and Settings\All Users\Desktop\Internet Security 2013.lnk
    Size
    819
    SHA-1
    d5414c344194211e5c5572202f900712bd4221d4
    MD5
    8d68115a86cfb2bb5a343d728516b32f
    CRC-32
    a65d64bf
    File type
    Windows Shortcut file (.LNK)
    First seen
    2013-09-02
  • C:\Documents and Settings\All Users\Application Data\isprotection.exe
    Size
    831K
    SHA-1
    b1b3e2749c5c87095277bdbfe61c20bf670f8ca6
    MD5
    b46fc3ace619132047067a41cf98d329
    CRC-32
    7dbed9e5
    File type
    Windows executable
    First seen
    2013-09-02
  • c:\Documents and Settings\test user\Local Settings\Temp\2.tmp
    Size
    858K
    SHA-1
    2e334ae618bd97ffecb63558f261ad359d36f2c7
    MD5
    34e05c38662fdb2e2efe129d67c96904
    CRC-32
    bd2ba925
    File type
    Windows executable
    First seen
    2013-09-02
Modified Files
  • C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
    • Set the hidden and system flags
  • C:\Documents and Settings\LocalService\Local Settings\History
    • Set the hidden and system flags
Registry Keys Created
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    DefaultConnectionSettings
    <□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@□□□□□□□□□□□□□□@□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    DefaultConnectionSettings
    <□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@□□□□□□□□□□□□□□@□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□
  • HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers
    DefaultSpoolDirectory
    C:\WINDOWS\System32\spool\PRINTERS
Registry Keys Modified
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths
    Directory
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    SavedLegacySettings
    3c 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    History
    C:\Documents and Settings\LocalService\Local Settings\History
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    History
    C:\Documents and Settings\LocalService\Local Settings\History
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    SavedLegacySettings
    3c 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Processes Created
  • c:\documents and settings\all users\application data\isprotection.exe
  • c:\windows\system32\spoolsv.exe
HTTP Requests
  • http://cinnamyn.com/images/s.php
  • http://twinkcam.net/images/s.php
DNS Requests
  • cinnamyn.com
  • twinkcam.net

download Try Sophos products for free
Download now