Mal/FakeAV-IS

Category: Viruses and Spyware Protection available since:08 Feb 2011 17:02:21 (GMT)
Type: Malicious behavior Last Updated:22 Jan 2014 18:45:52 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Mal/FakeAV-IS include:

Example 1

File Information

Size
197K
SHA-1
00029058cc6b7ad9980a62c295273b46cba58521
MD5
f7d534bd022fcd5facae22fabf7f44b6
CRC-32
460e1203
File type
Windows executable
First seen
2011-02-13

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Application Data\dwm.exe
Dropped Files
  • c:\Documents and Settings\test user\Application Data\337E.A1A
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    ProxyServer
    http=127.0.0.1:50061
  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    Shell
    explorer.exe,c:\Documents and Settings\test user\Application Data\dwm.exe
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    conhost
    c:\Documents and Settings\test user\Application Data\Microsoft\conhost.exe
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    DefaultConnectionSettings
    3c 00 00 00 03 00 00 00 03 00 00 00 14 00 00 00 68 74 74 70 3d 31 32 37 2e 30 2e 30 2e 31 3a 35 30 30 36 31 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 80 88 73 da f3 98 ca 01 01 00 00 00 ac 10 00 06 00 00 00 00 00 00 00 00
  • HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings
    ProxyEnable
    0x00000001
  • HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings
    ProxyEnable
    0x00000001
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    ProxyEnable
    0x00000001
Processes Created
  • c:\docume~1\support\locals~1\temp\2.exe
HTTP Requests
  • http://4videosoft.com/iphone.gif
  • http://differentdata-one.com/images/im133.jpg
  • http://freemaildotaccess.com/images/im133.jpg
  • http://protoolreviews.com/images/111.jpg
  • http://rossroadbags.com/images/p_thumb/3520.jpg
DNS Requests
  • 4videosoft.com
  • differentdata-one.com
  • freemaildotaccess.com
  • protoolreviews.com
  • rossroadbags.com
  • zonetf.com

Example 2

File Information

Size
167K
SHA-1
000385f100d33ced3f1f9d38e48d557c82dbdcd3
MD5
75121e4831b5cca97e165708ca0c3a35
CRC-32
c7c0c28f
File type
Windows executable
First seen
2011-04-27

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Application Data\Microsoft\conhost.exe
Dropped Files
  • c:\Documents and Settings\test user\Application Data\337E.A1A
  • c:\Documents and Settings\test user\Application Data\dwm.exe
    Size
    176K
    SHA-1
    56c0c7148743e19e903cb727eda9f7e5bbdf85b6
    MD5
    0dfde972665d8bc9c1ae52ba83657334
    CRC-32
    2cd04d2d
    File type
    Windows executable
    First seen
    2011-04-27
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    ProxyServer
    http=127.0.0.1:49798
  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    Shell
    explorer.exe,c:\Documents and Settings\test user\Application Data\dwm.exe
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    conhost
    c:\Documents and Settings\test user\Application Data\Microsoft\conhost.exe
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    ProxyEnable
    0x00000001
  • HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings
    ProxyEnable
    0x00000001
  • HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings
    ProxyEnable
    0x00000001
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    DefaultConnectionSettings
    3c 00 00 00 03 00 00 00 03 00 00 00 14 00 00 00 68 74 74 70 3d 31 32 37 2e 30 2e 30 2e 31 3a 34 39 37 39 38 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 80 88 73 da f3 98 ca 01 01 00 00 00 ac 10 00 06 00 00 00 00 00 00 00 00
Processes Created
  • c:\Documents and Settings\test user\application data\dwm.exe
  • c:\docume~1\support\locals~1\temp\2.exe
HTTP Requests
  • http://122343234.motostyleclub.com/blog/images/3521.jpg
  • http://greenherbalteaonline.com/images/greenherbalteagirlholdingcup250.gif
  • http://healthylifenow.com/templates/7349/images/header_logo.jpg
  • http://japanesegreenteaonline.com/assets/images/greentea-cha-1.gif
  • http://videosamplestore.com/blog/images/3521.jpg
DNS Requests
  • 122343234.motostyleclub.com
  • greenherbalteaonline.com
  • healthylifenow.com
  • japanesegreenteaonline.com
  • videosamplestore.com
  • zonedg.com

Example 3

File Information

Size
175K
SHA-1
0013446d1fb264607bbe74cd326903c6b1e2867c
MD5
e923be7416d49fcb60f5f95a29de979e
CRC-32
61dff825
File type
application/x-ms-dos-executable
First seen
2011-01-24

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Application Data\dwm.exe
Dropped Files
  • c:\Documents and Settings\test user\Application Data\337E.A1A
Registry Keys Created
  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    Shell
    explorer.exe,c:\Documents and Settings\test user\Application Data\dwm.exe
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    conhost
    c:\Documents and Settings\test user\Application Data\Microsoft\conhost.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    ProxyServer
    http=127.0.0.1:56727
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    DefaultConnectionSettings
    3c 00 00 00 03 00 00 00 03 00 00 00 14 00 00 00 68 74 74 70 3d 31 32 37 2e 30 2e 30 2e 31 3a 35 36 37 32 37 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 80 88 73 da f3 98 ca 01 01 00 00 00 ac 10 00 06 00 00 00 00 00 00 00 00
  • HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings
    ProxyEnable
    0x00000001
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    ProxyEnable
    0x00000001
  • HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings
    ProxyEnable
    0x00000001
Processes Created
  • c:\Documents and Settings\test user\application data\microsoft\conhost.exe
  • c:\docume~1\support\locals~1\temp\2.exe
HTTP Requests
  • http://136136.com/LB5000/CGI-BIN/s.cgi
  • http://pcdocpro.com/images/logo-1.jpg
  • http://smallspiderwomen.com/images/im133.jpg
  • http://zonedg.com/images/im133.jpg
DNS Requests
  • 136136.com
  • pcdocpro.com
  • smallspiderwomen.com
  • zonedg.com
  • zonetf.com

download Try Sophos products for free
Download now