Troj/FakeAV-CLZ

    Category: Viruses and SpywareProtection available since:12 Feb 2011 04:17:43 (GMT)
    Type: TrojanLast Updated:12 Feb 2011 04:17:43 (GMT)
    Prevalence: Small Number of Reports

    Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

    Troj/FakeAV-CLZ exhibits the following characteristics:

    File Information

    Size
    237K
    SHA-1
    7fe4fa35971b225c15f8cb55e9acc31756c85c8e
    MD5
    d9deca8094c4d84bb2fc0a141ba6bb44
    CRC-32
    6810c209
    File type
    application/x-ms-dos-executable
    First seen
    2011-02-12

    Other vendor detection

    Kaspersky
    Trojan.Win32.VBKrypt.ccoc

    Runtime Analysis

    Copies Itself To
    • c:\Documents and Settings\test user\Application Data\WinDefender.exe
    Dropped Files
    • F:/Autorun.ini
      Size
      28
      SHA-1
      1d6e848669f04e6aba25e60276e3bebd4a87238e
      MD5
      ce886cb8e7d70a3272703d782f525212
      CRC-32
      944186af
      File type
      application/octet-stream
      First seen
      2010-08-16
    • c:\Documents and Settings\test user\Application Data\data.dat
      Size
      32
      SHA-1
      41a054b7640a76436dd52217419bbed492328d1c
      MD5
      a015209cc96863a85567bd69d72834f2
      CRC-32
      6342cbb0
      File type
      application/octet-stream
      First seen
      2011-03-23
    Registry Keys Created
    • HKLM\SOFTWARE\Microsoft\Security Center
      UACDisableNotify
      0x00000000
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      Windows Defender
      c:\Documents and Settings\test user\Application Data\WinDefender.exe
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
      Windows Defender
      c:\Documents and Settings\test user\Application Data\WinDefender.exe
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
      EnableLUA
      0x00000000
    • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
      DoNotAllowExceptions
      0x00000000
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
      Windows Defender
      c:\Documents and Settings\test user\Application Data\WinDefender.exe
    • HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{DDF6AD7D-ECBD-DBA8-EBEC-F31ED002BEBA}
      StubPath
      c:\Documents and Settings\test user\Application Data\WinDefender.exe
    • HKCU\Software\VB and VBA Program Settings\INSTALL\DATE
      QA2MHJ43HM
      March 23, 2011
    • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
      c:\test_item.exe
      c:\test_item.exe:*:Enabled:Windows Messanger
    Processes Created
    • c:\windows\system32\cmd.exe
    • c:\windows\system32\reg.exe
    DNS Requests
    • rock-low.no-ip.biz

    Download Sophos HomeDownload
    Sophos Home

    Free business-grade security for the home.

    Endpoint Protection