Troj/FakeAV-CLZ

Category: Viruses and SpywareProtection available since:12 Feb 2011 04:17:43 (GMT)
Type: TrojanLast Updated:12 Feb 2011 04:17:43 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/FakeAV-CLZ exhibits the following characteristics:

File Information

Size
237K
SHA-1
7fe4fa35971b225c15f8cb55e9acc31756c85c8e
MD5
d9deca8094c4d84bb2fc0a141ba6bb44
CRC-32
6810c209
File type
application/x-ms-dos-executable
First seen
2011-02-12

Other vendor detection

Kaspersky
Trojan.Win32.VBKrypt.ccoc

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Application Data\WinDefender.exe
Dropped Files
  • F:/Autorun.ini
    Size
    28
    SHA-1
    1d6e848669f04e6aba25e60276e3bebd4a87238e
    MD5
    ce886cb8e7d70a3272703d782f525212
    CRC-32
    944186af
    File type
    application/octet-stream
    First seen
    2010-08-16
  • c:\Documents and Settings\test user\Application Data\data.dat
    Size
    32
    SHA-1
    41a054b7640a76436dd52217419bbed492328d1c
    MD5
    a015209cc96863a85567bd69d72834f2
    CRC-32
    6342cbb0
    File type
    application/octet-stream
    First seen
    2011-03-23
Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\Security Center
    UACDisableNotify
    0x00000000
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Windows Defender
    c:\Documents and Settings\test user\Application Data\WinDefender.exe
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
    Windows Defender
    c:\Documents and Settings\test user\Application Data\WinDefender.exe
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    EnableLUA
    0x00000000
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    DoNotAllowExceptions
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Windows Defender
    c:\Documents and Settings\test user\Application Data\WinDefender.exe
  • HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{DDF6AD7D-ECBD-DBA8-EBEC-F31ED002BEBA}
    StubPath
    c:\Documents and Settings\test user\Application Data\WinDefender.exe
  • HKCU\Software\VB and VBA Program Settings\INSTALL\DATE
    QA2MHJ43HM
    March 23, 2011
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    c:\test_item.exe
    c:\test_item.exe:*:Enabled:Windows Messanger
Processes Created
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\reg.exe
DNS Requests
  • rock-low.no-ip.biz