Mal/FakeAV-KI

Category: Viruses and SpywareProtection available since:14 Apr 2011 13:20:05 (GMT)
Type: Malicious behaviorLast Updated:25 May 2011 14:42:39 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Mal/FakeAV-KI include:

Example 1

File Information

Size
484K
SHA-1
04312f9b6270cbd71b5b6345efcbd8ac0ee54e29
MD5
f81b60cedc643666dc35a4e952bf1df0
CRC-32
9b0e89b0
File type
application/x-ms-dos-executable
First seen
2011-04-21

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Local Settings\Application Data\gcy.exe
Dropped Files
  • c:\Documents and Settings\test user\Templates\0lok2k63nt0m3v8w583a24283uey6fcw8mc814le6mkd8t
    Size
    3.9K
    SHA-1
    23e8899905bbe31a6e20a2cda1f05539eb28372a
    MD5
    9531cb4b34bfdf40fb0a51ddd7008cf7
    CRC-32
    ca30d8dd
    File type
    application/octet-stream
    First seen
    2011-04-21
  • C:\Documents and Settings\All Users\Application Data\0lok2k63nt0m3v8w583a24283uey6fcw8mc814le6mkd8t
    Size
    3.9K
    SHA-1
    23e8899905bbe31a6e20a2cda1f05539eb28372a
    MD5
    9531cb4b34bfdf40fb0a51ddd7008cf7
    CRC-32
    ca30d8dd
    File type
    application/octet-stream
    First seen
    2011-04-21
  • C:\WINDOWS\system32\j5c0q.dll
    Size
    180K
    SHA-1
    5c2b01152b9c5fc3918fc436f59499dbc42b8b62
    MD5
    5b524d1ac9a57d1d7a0c45e894241cc4
    CRC-32
    c23b7fd2
    File type
    application/x-ms-dos-executable
    First seen
    2011-04-21
  • c:\Documents and Settings\test user\Local Settings\Temp\0lok2k63nt0m3v8w583a24283uey6fcw8mc814le6mkd8t
    Size
    3.9K
    SHA-1
    23e8899905bbe31a6e20a2cda1f05539eb28372a
    MD5
    9531cb4b34bfdf40fb0a51ddd7008cf7
    CRC-32
    ca30d8dd
    File type
    application/octet-stream
    First seen
    2011-04-21
  • c:\Documents and Settings\test user\Local Settings\Application Data\0lok2k63nt0m3v8w583a24283uey6fcw8mc814le6mkd8t
    Size
    3.9K
    SHA-1
    23e8899905bbe31a6e20a2cda1f05539eb28372a
    MD5
    9531cb4b34bfdf40fb0a51ddd7008cf7
    CRC-32
    ca30d8dd
    File type
    application/octet-stream
    First seen
    2011-04-21
Modified Files
  • %PROFILE%\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    • Changed the file contents
Registry Keys Created
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    DoNotAllowExceptions
    0x00000000
  • HKCU_Classes\.exe\shell\runas\command
    IsolatedCommand
    "%1" %*
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
    DoNotAllowExceptions
    0x00000000
  • HKCU\Software\Classes\.exe\DefaultIcon
    (Default)
    %1
  • HKCU_Classes\exefile\shell\runas\command
    (Default)
    "%1" %*
  • HKCU_Classes\exefile\DefaultIcon
    (Default)
    %1
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    2433c654
    91 91 18 ff 28 00 00 00 15 58 3e ad db 86 ca 6f 4a c7 95 2f e8 71 04 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 ea 17 f5 8b 3b 79 c0 e2 db 85 1c fc 6a b7 3a ee 85 da 19 75 b5 c9 3c 04 2c 51 8f 28 bf 2e 18 6b d8 5e c9 78 3e 2c 3e f7 d2 a2 ae 5f 23 5c ce 3a 22 15 d1 f9 d3 be 95 e8 3f 17
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
    2433c654
    91 91 18 ff 28 00 00 00 15 58 3e ad db 86 ca 6f 4a c7 95 2f e8 71 04 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 ea 17 f5 8b 3b 79 c0 e2 db 85 1c fc 6a b7 3a ee 85 da 19 75 b5 c9 3c 04 2c 51 8f 28 bf 2e 18 6b d8 5e c9 78 3e 2c 3e f7 d2 a2 ae 5f 23 5c ce 3a 22 15 d1 f9 d3 be 95 e8 3f 17
  • HKCU\Software\Classes\.exe
    Content Type
    application/x-msdownload
  • HKCU\Software\Classes\.exe\shell\runas\command
    (Default)
    "%1" %*
  • HKCU_Classes\.exe
    (Default)
    exefile
  • HKCU\Software\Classes\exefile
    (Default)
    Application
  • HKCU_Classes\exefile
    Content Type
    application/x-msdownload
  • HKCU\Software\Classes\exefile\shell\open\command
    IsolatedCommand
    "%1" %*
  • HKCU\Software\Classes\exefile\shell\runas\command
    IsolatedCommand
    "%1" %*
  • HKCU\Software\Microsoft\Windows
    Identity
    0x11e7c747
  • HKCU_Classes\.exe\shell\open\command
    IsolatedCommand
    "%1" %*
  • HKCU_Classes\exefile\shell\open\command
    (Default)
    "c:\Documents and Settings\test user\Local Settings\Application Data\gcy.exe" -a "%1" %*
Registry Keys Modified
  • HKLM\SOFTWARE\Microsoft\Security Center
    AntiVirusOverride
    0x00000001
  • HKCR\CLSID\{750fdf0e-2a26-11d1-a3ea-080036587f03}\InProcServer32
    (Default)
    C:\WINDOWS\system32\j5c0q.dll
  • HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command
    (Default)
    "C:\Documents and Settings\support\Local Settings\Application Data\gcy.exe" -a "C:\Program Files\Intern
Processes Created
  • c:\documents and settings\support\local settings\application data\gcy.exe
  • c:\docume~1\support\locals~1\temp\wq05a37x.exe
  • c:\windows\explorer.exe
HTTP Requests
  • http://dyhapenypyqu.com/1013000613
  • http://ypyrezaba.com/6bH3p+Kx96fhtfen4w
DNS Requests
  • basinobof.com
  • baxyzasagisoq.com
  • cubyzawawezy.com
  • dojewoboji.com
  • dygydypinynyx.com
  • dyhapenypyqu.com
  • foficyguwow.com
  • gurydivadu.com
  • igotiroda.com
  • jocemufeb.com
  • kizikocidorek.com
  • komeriqoxuri.com
  • kujaqiqaje.com
  • kumebyduwuvoc.com
  • lixuhejaroquw.com
  • lixumokyfo.com
  • lylimeqokivo.com
  • mobosijeb.com
  • najelijywar.com
  • nezutepazew.com
  • nitodocyri.com
  • pepabahaturap.com
  • qodikowyfiv.com
  • qubumicyz.com
  • quwecanocowi.com
  • rokyhepym.com
  • rorylexyzabihy.com
  • rywoxekomecig.com
  • sosefekesylafy.com
  • sozodikuqulec.com
  • utuhubolype.com
  • vojocokipy.com
  • wepiminymu.com
  • ydijajyb.com
  • ygywiguxake.com
  • ykilyxagesop.com
  • ypyrezaba.com

Example 2

File Information

Size
344K
SHA-1
091fcfb5470fcb69e88b1e9d069fa4e6720c2e79
MD5
428834733cd56f5a1946460b87afe9a1
CRC-32
199e79ee
File type
application/x-ms-dos-executable
First seen
2011-04-20

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Local Settings\Application Data\hir.exe
Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\78o01baf63e
    Size
    4.5K
    SHA-1
    df84b0fddba9babc25fe543bef2aedb112e73805
    MD5
    432591b0c1396c5b529ffb11ff8a40f3
    CRC-32
    7f5522ae
    File type
    application/octet-stream
    First seen
    2011-04-20
  • c:\Documents and Settings\test user\Local Settings\Application Data\78o01baf63e
    Size
    4.5K
    SHA-1
    df84b0fddba9babc25fe543bef2aedb112e73805
    MD5
    432591b0c1396c5b529ffb11ff8a40f3
    CRC-32
    7f5522ae
    File type
    application/octet-stream
    First seen
    2011-04-20
  • c:\Documents and Settings\test user\Templates\78o01baf63e
    Size
    4.5K
    SHA-1
    df84b0fddba9babc25fe543bef2aedb112e73805
    MD5
    432591b0c1396c5b529ffb11ff8a40f3
    CRC-32
    7f5522ae
    File type
    application/octet-stream
    First seen
    2011-04-20
  • C:\Documents and Settings\All Users\Application Data\78o01baf63e
    Size
    4.5K
    SHA-1
    df84b0fddba9babc25fe543bef2aedb112e73805
    MD5
    432591b0c1396c5b529ffb11ff8a40f3
    CRC-32
    7f5522ae
    File type
    application/octet-stream
    First seen
    2011-04-20
Modified Files
  • %PROFILE%\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    • Changed the file contents
Registry Keys Created
  • HKCU\Software\Classes\.exe
    (Default)
    exefile
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    DisableNotifications
    0x00000001
  • HKCU_Classes\exefile\shell\open\command
    (Default)
    "c:\Documents and Settings\test user\Local Settings\Application Data\hir.exe" -a "%1" %*
  • HKCU\Software\Classes\exefile\shell\runas\command
    IsolatedCommand
    "%1" %*
  • HKCU\Software\Classes\.exe\DefaultIcon
    (Default)
    %1
  • HKCU\Software\Classes\exefile\shell\open\command
    IsolatedCommand
    "%1" %*
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
    DisableNotifications
    0x00000001
  • HKCU\Software\Microsoft\Windows
    Identity
    0xb982328d
  • HKCU_Classes\.exe\shell\open\command
    (Default)
    "c:\Documents and Settings\test user\Local Settings\Application Data\hir.exe" -a "%1" %*
  • HKCU\Software\Classes\.exe\shell\runas\command
    IsolatedCommand
    "%1" %*
  • HKCU\Software\Classes\exefile
    (Default)
    Application
  • HKCU_Classes\exefile
    Content Type
    application/x-msdownload
  • HKCU_Classes\exefile\DefaultIcon
    (Default)
    %1
  • HKCU\Software\Classes\.exe\shell\open\command
    IsolatedCommand
    "%1" %*
  • HKCU_Classes\exefile\shell\runas\command
    (Default)
    "%1" %*
  • HKCU_Classes\.exe\shell\runas\command
    IsolatedCommand
    "%1" %*
  • HKCU_Classes\.exe
    (Default)
    exefile
Registry Keys Modified
  • HKLM\SOFTWARE\Microsoft\Security Center
    FirewallOverride
    0x00000001
  • HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command
    (Default)
    "C:\Documents and Settings\support\Local Settings\Application Data\hir.exe" -a "C:\Program Files\Intern
Processes Created
  • c:\documents and settings\support\local settings\application data\hir.exe
HTTP Requests
  • http://dyhapenypyqu.com/1015000513
DNS Requests
  • basinobof.com
  • baxyzasagisoq.com
  • cubyzawawezy.com
  • dojewoboji.com
  • dygydypinynyx.com
  • dyhapenypyqu.com
  • foficyguwow.com
  • gurydivadu.com
  • jocemufeb.com
  • kizikocidorek.com
  • komeriqoxuri.com
  • kujaqiqaje.com
  • kumebyduwuvoc.com
  • lixuhejaroquw.com
  • lixumokyfo.com
  • lylimeqokivo.com
  • mobosijeb.com
  • najelijywar.com
  • nezutepazew.com
  • nitodocyri.com
  • pepabahaturap.com
  • qodikowyfiv.com
  • qubumicyz.com
  • quwecanocowi.com
  • rokyhepym.com
  • rorylexyzabihy.com
  • rywoxekomecig.com
  • sosefekesylafy.com
  • sozodikuqulec.com
  • vojocokipy.com
  • wepiminymu.com

Example 3

File Information

Size
336K
SHA-1
098f5cb19ad0d1a81411d0c2353f8c1401484b36
MD5
1a2c20e5cc934b4a395ba87eefd35a44
CRC-32
cb7560fb
File type
application/x-ms-dos-executable
First seen
2011-04-21

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Local Settings\Application Data\sak.exe
Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Application Data\63t52u1463pkd28v2ap36ok2d30w5fva4y
    Size
    4.3K
    SHA-1
    46d06533864b8c764871851b83e9a9c93213d6ea
    MD5
    e511f1b6f761b35ecb20a17a6737f637
    CRC-32
    b36d75df
    File type
    application/octet-stream
    First seen
    2011-04-21
  • c:\Documents and Settings\test user\Templates\63t52u1463pkd28v2ap36ok2d30w5fva4y
    Size
    4.3K
    SHA-1
    46d06533864b8c764871851b83e9a9c93213d6ea
    MD5
    e511f1b6f761b35ecb20a17a6737f637
    CRC-32
    b36d75df
    File type
    application/octet-stream
    First seen
    2011-04-21
  • c:\Documents and Settings\test user\Local Settings\Temp\63t52u1463pkd28v2ap36ok2d30w5fva4y
    Size
    4.3K
    SHA-1
    46d06533864b8c764871851b83e9a9c93213d6ea
    MD5
    e511f1b6f761b35ecb20a17a6737f637
    CRC-32
    b36d75df
    File type
    application/octet-stream
    First seen
    2011-04-21
  • C:\Documents and Settings\All Users\Application Data\63t52u1463pkd28v2ap36ok2d30w5fva4y
    Size
    4.3K
    SHA-1
    46d06533864b8c764871851b83e9a9c93213d6ea
    MD5
    e511f1b6f761b35ecb20a17a6737f637
    CRC-32
    b36d75df
    File type
    application/octet-stream
    First seen
    2011-04-21
Modified Files
  • %PROFILE%\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    • Changed the file contents
Registry Keys Created
  • HKCU_Classes\exefile\shell\runas\command
    (Default)
    "%1" %*
  • HKCU\Software\Classes\exefile
    (Default)
    Application
  • HKCU_Classes\exefile\shell\open\command
    (Default)
    "c:\Documents and Settings\test user\Local Settings\Application Data\sak.exe" -a "%1" %*
  • HKCU_Classes\.exe\shell\open\command
    (Default)
    "c:\Documents and Settings\test user\Local Settings\Application Data\sak.exe" -a "%1" %*
  • HKCU_Classes\.exe
    (Default)
    exefile
  • HKCU\Software\Classes\exefile\shell\open\command
    IsolatedCommand
    "%1" %*
  • HKCU\Software\Classes\.exe\DefaultIcon
    (Default)
    %1
  • HKCU\Software\Classes\exefile\shell\runas\command
    IsolatedCommand
    "%1" %*
  • HKCU\Software\Classes\.exe\shell\open\command
    IsolatedCommand
    "%1" %*
  • HKCU\Software\Classes\.exe
    (Default)
    exefile
  • HKCU_Classes\exefile
    Content Type
    application/x-msdownload
  • HKCU\Software\Classes\.exe\shell\runas\command
    IsolatedCommand
    "%1" %*
  • HKCU\Software\Microsoft\Windows
    Identity
    0xb9d11549
  • HKCU_Classes\.exe\shell\runas\command
    IsolatedCommand
    "%1" %*
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
    DisableNotifications
    0x00000001
  • HKCU_Classes\exefile\DefaultIcon
    (Default)
    %1
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    DisableNotifications
    0x00000001
Registry Keys Modified
  • HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command
    (Default)
    "C:\Documents and Settings\support\Local Settings\Application Data\sak.exe" -a "C:\Program Files\Intern
  • HKLM\SOFTWARE\Microsoft\Security Center
    FirewallOverride
    0x00000001
Processes Created
  • c:\documents and settings\support\local settings\application data\sak.exe
HTTP Requests
  • http://zekujogameteji.com/1017000213
DNS Requests
  • basinobof.com
  • baxyzasagisoq.com
  • cubyzawawezy.com
  • dojewoboji.com
  • dygydypinynyx.com
  • foficyguwow.com
  • gurydivadu.com
  • jocemufeb.com
  • kizikocidorek.com
  • komeriqoxuri.com
  • kujaqiqaje.com
  • lixuhejaroquw.com
  • lixumokyfo.com
  • lylimeqokivo.com
  • mobosijeb.com
  • najelijywar.com
  • nezutepazew.com
  • nitodocyri.com
  • pifuxevunawewo.com
  • qodikowyfiv.com
  • qubumicyz.com
  • quwecanocowi.com
  • rokyhepym.com
  • rorylexyzabihy.com
  • rywoxekomecig.com
  • sosefekesylafy.com
  • sozodikuqulec.com
  • vojocokipy.com
  • wepiminymu.com
  • xomedefanace.com
  • zekujogameteji.com