Troj/FakeVir-PU

Category:	Viruses and Spyware	Protection available since:	04 Nov 2009 18:18:27 (GMT)
Type:	Trojan	Last Updated:	04 Nov 2009 18:18:27 (GMT)
Prevalence:

Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/FakeVir-PU communicates via HTTP with the following locations:

91 . 212 . 127 . 226

When Troj/FakeVir-PU is installed it copies itself to
<Program Files>\<six random letters>\<four random letters>sysguard.exe

The following registry entries are created to run swsysysguard.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<eight random letters>
<Program Files>\<six random letters>\<four random letters>sysguard.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<eight random letters>
<Program Files>\<six random letters>\<four random letters>sysguard.exe

Registry entries are set as follows:

HKCU\Software\Microsoft\Internet Explorer\Download
CheckExeSignatures
no

HKCU\Software\Microsoft\Internet Explorer\Download
RunInvalidSignatures
0x00000001

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
LowRiskFileTypes
.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
SaveZoneInformation
0x00000001

Registry entries are created under:

HKLM\SOFTWARE\AvScan

The following registry entry is deleted:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

Troj/FakeVir-PU alters the local hosts file to redirect internet traffic.

Troj/FakeVir-PU drops <System>\iehelper.dll which is detected as Troj/FakeSp-Gen.

Try Sophos products for free
Download now

Troj/FakeVir-PU

Free Mac Anti-Virus

Popular topics