Mal/FakeAV-FI

Category: Viruses and SpywareProtection available since:08 Sep 2010 18:37:45 (GMT)
Type: Malicious behaviorLast Updated:08 Sep 2010 18:37:45 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Mal/FakeAV-FI include:

Example 1

File Information

Size
277K
SHA-1
2bb4eeafe3c439a0d1761722d68f1dfdb153f4be
MD5
a1cc9f03e228eef33a0815d6c30e8a05
CRC-32
e7459c74
File type
application/x-ms-dos-executable
First seen
2010-08-26

Other vendor detection

Avira
TR/Dropper.Gen
Kaspersky
Backdoor.Win32.Frauder.bzr

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Local Settings\Temp\winupd64x.exe
Registry Keys Created
  • HKCU\Software
    fcb39e92-5c9b-4f6f-9765-77b959568acb
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    winupd64x.exe
    C:\DOCUME~1\support\LOCALS~1\Temp\winupd64x.exe
HTTP Requests
  • http://70.38.11.165/admin/cgi-bin/check_update.php
  • http://yourpcisprotected.info/collection.php
IP Connections
  • 70.38.11.165:80
DNS Requests
  • yourpcisprotected.info

Example 2

File Information

Size
277K
SHA-1
bcdeaff5297181868543b3bf0ce402ac1e6ca41a
MD5
4e45a343748be32f52ad97a8c63e962b
CRC-32
97808134
File type
application/x-ms-dos-executable
First seen
2010-09-06

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Local Settings\Temp\winupd64x.exe
Dropped Files
  • C:\Program Files\Antivirus\AvBho.dll
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    winupd64x.exe
    C:\DOCUME~1\support\LOCALS~1\Temp\winupd64x.exe
  • HKCU\Software
    fcb39e92-5c9b-4f6f-9765-77b959568acb
Registry Keys Modified
  • HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
    Start
    0x00000004
Processes Created
  • c:\windows\system32\net.exe
  • c:\windows\system32\net1.exe
  • c:\windows\system32\sc.exe
HTTP Requests
  • http://70.38.11.165/admin/cgi-bin/check_update.php
  • http://download.test3.com/en/PE/AvBho.dll
  • http://download.test3.com/error.html
  • http://test3.com/collection.php
  • http://test3.com/error.html
IP Connections
  • 70.38.11.165:80
DNS Requests
  • download.test3.com
  • test3.com

Example 3

File Information

Size
277K
SHA-1
bff8dab3e5e663c9b4a943a615f49f778e66c334
MD5
f2fc4d2803d1922ae35c5f03555490d7
CRC-32
f4862a84
File type
application/x-ms-dos-executable
First seen
2010-09-05

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Local Settings\Temp\winupd64x.exe
Registry Keys Created
  • HKCU\Software
    fcb39e92-5c9b-4f6f-9765-77b959568acb
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    winupd64x.exe
    C:\DOCUME~1\support\LOCALS~1\Temp\winupd64x.exe
HTTP Requests
  • http://70.38.11.165/admin/cgi-bin/check_update.php
IP Connections
  • 70.38.11.165:80