Troj/FakeAV-EIR

Category: Viruses and SpywareProtection available since:28 Jul 2011 21:18:11 (GMT)
Type: TrojanLast Updated:28 Jul 2011 21:18:11 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/FakeAV-EIR include:

Example 1

File Information

Size
664K
SHA-1
1ca982bf1fe87eee1002332dbfa923d3729fd443
MD5
08152cd6108d5a49d99607fd0f14aa63
CRC-32
33a8429a
File type
application/x-ms-dos-executable
First seen
2011-07-28

Runtime Analysis

Registry Keys Created
  • HKCR\CLSID\{19090308-636D-4e9b-A1CE-A647B6F794BF}
    (Default)
    ADC PlugIn
  • HKCR\CLSID\{19090308-636D-4e9b-A1CE-A647B6F794BF}\InprocServer32
    (Default)
    c:\test_item.dll

Example 2

File Information

Size
2.6M
SHA-1
47d934ce1af2c6706895023e5df5debf0647b41a
MD5
fe2657f4aef7a7896dff4315de6cafc0
CRC-32
359f6ac1
File type
application/x-ms-dos-executable
First seen
2011-07-28

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Application Data\BlueFlare Antivirus\BlueFlare Antivirus.exe
Dropped Files
  • c:\Documents and Settings\test user\Application Data\BlueFlare Antivirus\BlueFlare Antivirus.ico
    Size
    15K
    SHA-1
    4731d9384351ca64307b3521ac1a5047fb020f20
    MD5
    8f7881db089758c3da430ce9d42c8fda
    CRC-32
    9c89f059
    File type
    Unspecified binary - probably data
    First seen
    2011-06-07
  • c:\Documents and Settings\test user\Start Menu\Programs\BlueFlare Antivirus\BlueFlare Antivirus.lnk
    Size
    2.1K
    SHA-1
    39cce283b45a45394a800baa1c2f9990760a9c90
    MD5
    47611508570b6c4c1729da8fdcc7a0d5
    CRC-32
    fa35c7a3
    File type
    application/octet-stream
    First seen
    2011-07-28
  • c:\Documents and Settings\test user\Application Data\BlueFlare Antivirus\csrss.exe
    Size
    212K
    SHA-1
    02f93181f4137f829b7a8ee517542c3de4c54b44
    MD5
    d332377097be7955577e064a4c321fbb
    CRC-32
    52292cf5
    File type
    application/x-ms-dos-executable
    First seen
    2011-07-28
  • c:\Documents and Settings\test user\Application Data\BlueFlare Antivirus\ms.conf
    Size
    1.2K
    SHA-1
    642b00a3d112ec5ae8d9e44f0175a165a3701218
    MD5
    d3299f2cc7de693a0e057e0741ff4477
    CRC-32
    ac27c0dd
    File type
    application/octet-stream
    First seen
    2011-07-28
  • c:\Documents and Settings\test user\Desktop\BlueFlare Antivirus.lnk
    Size
    2.1K
    SHA-1
    17843b9e3c4f4853c4b5f72ed5e9ed9586e97a36
    MD5
    ad635bad66535084fcf9a02a7fd4cb49
    CRC-32
    546d7ff6
    File type
    application/octet-stream
    First seen
    2011-07-28
  • c:\Documents and Settings\test user\Local Settings\Temp\3.tmp
    Size
    168K
    SHA-1
    0d45860d315e977102aae983b1361d6dd944eb72
    MD5
    2ba0bf657233662ca297f024eb1085ce
    CRC-32
    78b1587b
    File type
    application/x-ms-dos-executable
    First seen
    2011-07-28
  • c:\Documents and Settings\test user\Application Data\BlueFlare Antivirus\sbr32.dll
    Size
    664K
    SHA-1
    1ca982bf1fe87eee1002332dbfa923d3729fd443
    MD5
    08152cd6108d5a49d99607fd0f14aa63
    CRC-32
    33a8429a
    File type
    application/x-ms-dos-executable
    First seen
    2011-07-28
Registry Keys Created
  • HKCR\CLSID\{19090308-636D-4e9b-A1CE-A647B6F794BF}
    (Default)
    ADC PlugIn
  • HKCR\CLSID\{19090308-636D-4e9b-A1CE-A647B6F794BF}\InprocServer32
    (Default)
    c:\Documents and Settings\test user\Application Data\BlueFlare Antivirus\sbr32.dll
HTTP Requests
  • http://core6861.s-internals.com/stat/action.php
  • http://google.com/
  • http://jn6861.secure-validation.com/images/bg.gif
  • http://jn6861.secure-validation.com/images/cn.jpg
  • http://jn6861.secure-validation.com/images/cvv.gif
  • http://jn6861.secure-validation.com/images/dw.gif
  • http://jn6861.secure-validation.com/images/lfbg.jpg
  • http://jn6861.secure-validation.com/images/rhbg.jpg
  • http://jn6861.secure-validation.com/images/shadowlf.gif
  • http://jn6861.secure-validation.com/images/shadowrh.gif
  • http://jn6861.secure-validation.com/images/t.gif
  • http://jn6861.secure-validation.com/images/up.jpg
  • http://jn6861.secure-validation.com/images/visamc.gif
  • http://jn6861.secure-validation.com/signup.php
  • http://s-internals.com/
  • http://s-internals.com/ex1.php
  • http://s-internals.com/ex2.php
  • http://secure-validation.com/
DNS Requests
  • core6861.s-internals.com
  • google.com
  • jn6861.secure-validation.com
  • s-internals.com
  • secure-validation.com