Troj/FakeAV-EFL

Category: Viruses and Spyware Protection available since:09 Aug 2011 20:27:04 (GMT)
Type: Trojan Last Updated:09 Aug 2011 20:27:04 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/FakeAV-EFL include:

Example 1

File Information

Size
170K
SHA-1
006e6e9f40a0baf9ae8a1694349d5589d52c89ba
MD5
409ad84db8657d8bb1a53686f98fb737
CRC-32
65c38cf5
File type
application/x-ms-dos-executable
First seen
2011-07-12

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Local Settings\Temp\csrss.exe
Dropped Files
  • c:\Documents and Settings\test user\Application Data\Microsoft\CryptnetUrlCache\Content\C554DCF706A5AAB8B360FAD227EAB9C7
    Size
    1.3K
    SHA-1
    e86371f7874903e642344d4d3f54e33fec6f1d7c
    MD5
    091ba9b51fce61127592580087907780
    CRC-32
    48c4bd09
    File type
    Encoded certificate
    First seen
    2011-07-01
  • c:\Documents and Settings\test user\Application Data\Microsoft\CryptnetUrlCache\MetaData\C554DCF706A5AAB8B360FAD227EAB9C7
    Size
    100
    SHA-1
    fa406a1ef5ccb9cf087048420bb07bf55b4e28d7
    MD5
    5e575bdeb20f8a9d70e8a969d4e85566
    CRC-32
    0b566ec9
    File type
    application/octet-stream
    First seen
    2011-07-18
  • c:\Documents and Settings\test user\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
    Size
    144
    SHA-1
    8382d3c17cafbb9c9aebb5f38363db049d9712a8
    MD5
    44f7ce76d74308d652357fa8883bd2c5
    CRC-32
    6f415b7c
    File type
    application/octet-stream
    First seen
    2011-07-18
  • c:\Documents and Settings\test user\Application Data\Microsoft\CryptnetUrlCache\MetaData\E8974A4669383843486E5AFDB09650F5
    Size
    124
    SHA-1
    a59032ba9f8c6a2251625a59195988549d0e8e7c
    MD5
    f201d753f7884620a51e647694c5fd16
    CRC-32
    282f525c
    File type
    application/octet-stream
    First seen
    2011-07-18
  • c:\Documents and Settings\test user\Application Data\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9
    Size
    552
    SHA-1
    b65b3baf37445a512fa1919e4e93f3db0e9ce237
    MD5
    a95f65f1f7fd42194825e22f6d082bdc
    CRC-32
    184d30d6
    File type
    Encoded certificate
    First seen
    2011-06-13
  • c:\Documents and Settings\test user\Application Data\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9
    Size
    132
    SHA-1
    578ecedbc92aa8ee4364435d5415c4a7527eba6c
    MD5
    2de92aed695fe380081f6b3648bc15c3
    CRC-32
    12db91e8
    File type
    application/octet-stream
    First seen
    2011-07-18
  • c:\Documents and Settings\test user\Application Data\Microsoft\conhost.exe
    Size
    160K
    SHA-1
    04db67a6127fed600bd18fbec945c5cc0e53085d
    MD5
    d1ae4393c46e5b4030b5065c6f9d95d1
    CRC-32
    74bfd82d
    File type
    application/x-ms-dos-executable
    First seen
    2011-07-18
  • c:\Documents and Settings\test user\Application Data\337E.A1A
    Size
    900
    SHA-1
    44ecf00784fedae07ad7ebea1acc36084a26da1a
    MD5
    d5a813a01607d947650d83dc061cc8e3
    CRC-32
    c1312cd5
    File type
    application/octet-stream
    First seen
    2011-07-18
  • c:\Documents and Settings\test user\Application Data\Microsoft\CryptnetUrlCache\Content\E8974A4669383843486E5AFDB09650F5
    Size
    2.2K
    SHA-1
    88ee6a1d270c59d0ecbf0713c231204fb18686fb
    MD5
    e2f7c2cc2f83dd589e78b51017a47750
    CRC-32
    5c04f71d
    File type
    application/octet-stream
    First seen
    2011-07-18
  • c:\Documents and Settings\test user\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
Modified Files
  • %PROFILE%\Application Data\Microsoft\CryptnetUrlCache\Content\A8FABA189DB7D25FBA7CAC806625FD30
    • Changed the file contents
  • %PROFILE%\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5
  • %PROFILE%\Application Data\Microsoft\CryptnetUrlCache\MetaData\A8FABA189DB7D25FBA7CAC806625FD30
  • %PROFILE%\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5
Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    conhost
    c:\Documents and Settings\test user\Application Data\Microsoft\conhost.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    ProxyServer
    http=127.0.0.1:57495
Registry Keys Modified
  • HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings
    ProxyEnable
    0x00000001
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    ProxyEnable
    0x00000001
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    DefaultConnectionSettings
    3c 00 00 00 03 00 00 00 03 00 00 00 14 00 00 00 68 74 74 70 3d 31 32 37 2e 30 2e 30 2e 31 3a 35 37 34 39 35 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 80 88 73 da f3 98 ca 01 01 00 00 00 ac 10 00 06 00 00 00 00 00 00 00 00
  • HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings
    ProxyEnable
    0x00000001
  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
    load
    C:\DOCUME~1\support\LOCALS~1\Temp\csrss.exe
Processes Created
  • c:\docume~1\support\locals~1\temp\2.exe
  • c:\windows\system32\msiexec.exe
HTTP Requests
  • http://CSC3-2004-crl.verisign.com/CSC3-2004.crl
  • http://crl.microsoft.com/pki/crl/products/CSPCA.crl
  • http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl
  • http://crl.verisign.com/pca3-g2.crl
  • http://crl.verisign.com/pca3.crl
  • http://csc3-2009-crl.verisign.com/CSC3-2009.crl
  • http://livechatagent.com/img/footer_intel.jpg
  • http://motherboardpoint.com/images/template/h.cgi
  • http://nononlinecatalogtome.com/blog/images/3521.jpg
  • http://ourcoolresources.com/blog/images/3521.jpg
  • http://willsglaucoma.org/images/lhous4.gif
  • http://www.google.com/
  • http://www.google.de/
  • http://xprstats.com/images/logo.png
DNS Requests
  • CSC3-2004-crl.verisign.com
  • crl.microsoft.com
  • crl.verisign.com
  • csc3-2009-crl.verisign.com
  • livechatagent.com
  • motherboardpoint.com
  • nononlinecatalogtome.com
  • ourcoolresources.com
  • willsglaucoma.org
  • www.google.com
  • www.google.de
  • xprstats.com

Example 2

File Information

Size
180K
SHA-1
007cc2c333ac1299b3e47e795a25acd52560fb3b
MD5
5fd31ae2560c9c25de68280f7ee7a983
CRC-32
6c4a74a8
File type
application/x-ms-dos-executable
First seen
2011-07-19

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Local Settings\Temp\csrss.exe
Dropped Files
  • c:\Documents and Settings\test user\Application Data\Microsoft\conhost.exe
    Size
    163K
    SHA-1
    5baab46641ece16d5587b1cb2ee9bbaa3cb111fe
    MD5
    0da15f106dcaa497ab954cbf17bfb855
    CRC-32
    515681f5
    File type
    application/x-ms-dos-executable
    First seen
    2011-07-20
  • c:\Documents and Settings\test user\Application Data\337E.A1A
    Size
    1.2K
    SHA-1
    59d7af2b72f13fbf8b1b2da3223ae79e916653ac
    MD5
    570680901bb8144c45eca1e133dcf295
    CRC-32
    1fdd5aad
    File type
    application/octet-stream
    First seen
    2011-07-20
  • c:\Documents and Settings\test user\Application Data\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9
    Size
    552
    SHA-1
    b65b3baf37445a512fa1919e4e93f3db0e9ce237
    MD5
    a95f65f1f7fd42194825e22f6d082bdc
    CRC-32
    184d30d6
    File type
    Encoded certificate
    First seen
    2011-06-13
  • c:\Documents and Settings\test user\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
    Size
    144
    SHA-1
    2e25f56ec55482b4521bdd6bcb0b651a6962596c
    MD5
    56069c4a34c0cc48eb4ad882cd2d903d
    CRC-32
    0447ff49
    File type
    application/octet-stream
    First seen
    2011-07-20
  • c:\Documents and Settings\test user\Application Data\Microsoft\CryptnetUrlCache\Content\C554DCF706A5AAB8B360FAD227EAB9C7
    Size
    1.3K
    SHA-1
    e86371f7874903e642344d4d3f54e33fec6f1d7c
    MD5
    091ba9b51fce61127592580087907780
    CRC-32
    48c4bd09
    File type
    Encoded certificate
    First seen
    2011-07-01
  • c:\Documents and Settings\test user\Application Data\Microsoft\CryptnetUrlCache\MetaData\E8974A4669383843486E5AFDB09650F5
    Size
    124
    SHA-1
    e6ef44c8597e7021bb71752f525a99171f70a718
    MD5
    a4d20b623164a2c16fdc53877627b9ce
    CRC-32
    b12a6da6
    File type
    application/octet-stream
    First seen
    2011-07-20
  • c:\Documents and Settings\test user\Application Data\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9
    Size
    132
    SHA-1
    aae85277ce7b6af2bfcad4265b4d71ad8d277bcf
    MD5
    8fcbb3ebdf1064d825565f131a605b09
    CRC-32
    8dd58300
    File type
    application/octet-stream
    First seen
    2011-07-20
  • c:\Documents and Settings\test user\Application Data\Microsoft\CryptnetUrlCache\Content\E8974A4669383843486E5AFDB09650F5
    Size
    2.2K
    SHA-1
    2f7287d9f249713725e5f597ade0721a72a81438
    MD5
    b50562378f79575939d35e71b22804ce
    CRC-32
    bb03a388
    File type
    application/octet-stream
    First seen
    2011-07-19
  • c:\Documents and Settings\test user\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
    Size
    558
    SHA-1
    e192109e10095e206d39474f1169c057252654e4
    MD5
    ad3f7da9486a0dda020fdb77f83b7990
    CRC-32
    0d39d429
    File type
    application/octet-stream
    First seen
    2011-07-18
  • c:\Documents and Settings\test user\Application Data\Microsoft\CryptnetUrlCache\MetaData\C554DCF706A5AAB8B360FAD227EAB9C7
    Size
    100
    SHA-1
    8709a8b757a9bb73a9c52d0af2ca214e8e333064
    MD5
    f231e2bfe6e5f089cb14d17f2f41cf59
    CRC-32
    26234621
    File type
    application/octet-stream
    First seen
    2011-07-20
Modified Files
  • %PROFILE%\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5
  • %PROFILE%\Application Data\Microsoft\CryptnetUrlCache\Content\A8FABA189DB7D25FBA7CAC806625FD30
    • Changed the file contents
  • %PROFILE%\Application Data\Microsoft\CryptnetUrlCache\MetaData\A8FABA189DB7D25FBA7CAC806625FD30
  • %PROFILE%\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5
Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    conhost
    c:\Documents and Settings\test user\Application Data\Microsoft\conhost.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    ProxyServer
    http=127.0.0.1:55939
Registry Keys Modified
  • HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings
    ProxyEnable
    0x00000001
  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
    load
    C:\DOCUME~1\support\LOCALS~1\Temp\csrss.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    ProxyEnable
    0x00000001
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    DefaultConnectionSettings
    3c 00 00 00 03 00 00 00 03 00 00 00 14 00 00 00 68 74 74 70 3d 31 32 37 2e 30 2e 30 2e 31 3a 35 35 39 33 39 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 80 88 73 da f3 98 ca 01 01 00 00 00 ac 10 00 06 00 00 00 00 00 00 00 00
  • HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings
    ProxyEnable
    0x00000001
Processes Created
  • c:\Documents and Settings\test user\application data\microsoft\conhost.exe
  • c:\docume~1\support\locals~1\temp\2.exe
  • c:\windows\system32\msiexec.exe
HTTP Requests
  • http://CSC3-2004-crl.verisign.com/CSC3-2004.crl
  • http://christianchat.net/images/christian13.jpg
  • http://coolresourses.com/blog/images/3521.jpg
  • http://crl.microsoft.com/pki/crl/products/CSPCA.crl
  • http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl
  • http://crl.verisign.com/pca3-g2.crl
  • http://crl.verisign.com/pca3.crl
  • http://csc3-2009-crl.verisign.com/CSC3-2009.crl
  • http://greatecontent.com/blog/images/3521.jpg
  • http://willsglaucoma.org/images/lhous3.gif
  • http://willsglaucoma.org/images/lhous4.gif
  • http://www.google.com/
  • http://www.google.de/
  • http://xprstats.com/images/logo.png
DNS Requests
  • CSC3-2004-crl.verisign.com
  • christianchat.net
  • coolresourses.com
  • crl.microsoft.com
  • crl.verisign.com
  • csc3-2009-crl.verisign.com
  • greatecontent.com
  • willsglaucoma.org
  • www.google.com
  • www.google.de
  • xprstats.com

Example 3

File Information

Size
169K
SHA-1
009156b45fdf63a5ecd50cee40a0888e48349cbf
MD5
5ced960f1701ac9aad53f47cfcd1d4d4
CRC-32
9043ebea
File type
application/x-ms-dos-executable
First seen
2011-07-11

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Application Data\Microsoft\conhost.exe
Dropped Files
  • c:\Documents and Settings\test user\Application Data\dwm.exe
    Size
    177K
    SHA-1
    019cefd4d68694925fa43ee977a37edfe4cfe7ce
    MD5
    89ddb75cf6d0133e218dc591b168ef2a
    CRC-32
    e5ade58c
    File type
    application/x-ms-dos-executable
    First seen
    2011-07-11
  • c:\Documents and Settings\test user\Application Data\337E.A1A
    Size
    1.2K
    SHA-1
    1c24affaecdd002fa2b4e9f6bb1fda4a322b9d4f
    MD5
    c7eee92e2431b31e224c438b9e00691e
    CRC-32
    42e4e6e5
    File type
    application/octet-stream
    First seen
    2011-07-11
Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    conhost
    c:\Documents and Settings\test user\Application Data\Microsoft\conhost.exe
  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    Shell
    explorer.exe,c:\Documents and Settings\test user\Application Data\dwm.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    ProxyServer
    http=127.0.0.1:53495
Registry Keys Modified
  • HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings
    ProxyEnable
    0x00000001
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    ProxyEnable
    0x00000001
  • HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings
    ProxyEnable
    0x00000001
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    DefaultConnectionSettings
    3c 00 00 00 03 00 00 00 03 00 00 00 14 00 00 00 68 74 74 70 3d 31 32 37 2e 30 2e 30 2e 31 3a 35 33 34 39 35 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 80 88 73 da f3 98 ca 01 01 00 00 00 ac 10 00 06 00 00 00 00 00 00 00 00
Processes Created
  • c:\Documents and Settings\test user\application data\dwm.exe
  • c:\docume~1\support\locals~1\temp\2.exe
HTTP Requests
  • http://japanesegreenteaonline.com/assets/images/greentea-cha-1.gif
  • http://mysmallhomespace.com/blog/images/3521.jpg
  • http://nationsautoelectric.com/images/50-217-1_F_1_.jpg
  • http://psfk.com/img/icons/facebook.png
  • http://superaudiosysrem.com/blog/images/3521.jpg
  • http://www.google.com/
  • http://www.google.de/
  • http://xprstats.com/images/logo.png
DNS Requests
  • japanesegreenteaonline.com
  • mysmallhomespace.com
  • nationsautoelectric.com
  • psfk.com
  • superaudiosysrem.com
  • www.google.com
  • www.google.de
  • xprstats.com
  • zonedg.com