Home / malwarePDF  

AV Security 2012


First posted on 15 November 2011.
Source: SecurityHome

Aliases :

AV Security 2012 is also known as Rogue:Win32/FakeScanti (other), Win32/FakeScanti (other).

Explanation :

AV Security 2012 is a variant of Win32/FakeScanti - a family of trojans that claim to scan for malware and display fake warnings of "malicious programs and viruses". It then informs the user that they need to pay money to register the software in order to remove these non-existent threats. The malware may also attempt to terminate processes and block access to websites.


Top

AV Security 2012 is a variant of Win32/FakeScanti - a family of trojans that claim to scan for malware and display fake warnings of "malicious programs and viruses". It then informs the user that they need to pay money to register the software in order to remove these non-existent threats. The malware may also attempt to terminate processes and block access to websites.



Installation

AV Security 2012 copies itself to <system folder>\av security 2012v<3 digit number>.exe (for example, <system folder>\av security 2012v121.exe).

The trojan drops the following files:

  • %AppData\ldr.ini
  • %AppData% \<8 or more random alphanumeric chars>\AV Security 2012.ico
  • %ProgramFiles%\AV Security 2012\AV Security 2012.lnk
  • <Desktop folder>\AV Security 2012.lnk


Note: <Desktop folder> refers to a variable location that is determined by the malware by querying the Operating System. The default location for the 'Desktop' folder for Windows Vista and 7 is '%HOMEPATH%\Desktop'.

The fake scanner may be downloaded from a location such as any of those listed in the Payload section, saved to the %TEMP% directory, then launched.

AV Security 2012 makes the following changes to the registry to ensure that its copy is executed at each Windows start:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: <eight or more random alphanumeric characters> (for example, VvUJ1sY0aTNp8234A)
With data: <path name of malware> (for example, <system folder>\E0qaxGNpRBoE8E7.exe>)

Some variants may drop files identical to each of the following:

  • %TEMP%\dwme.exe
  • %AppData%\dwme.exe


The above files may be variants of the Win32/Cycbot family, which may then install PWS:Win32/Fareit.

If Cycbot is installed, Win32/FakeScanti also adds the following registry entry to ensure that Cycbot is run at each Windows start:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: <8 or more random characters>
With data: %AppData%\dwme.exe



Payload

Downloads and executes arbitrary files

This trojan may connect to websites such as the following:

  • cc-chargeonline.com
  • ccbill-online.com
  • freshmediacontent.com
  • ordersonlinenow.com
  • ourbigbooklibrarry.com
  • ourbigvideostore.com
  • paybycardonline.com
  • paybycardsonline.com
  • photodatastore.com
  • pickviewonline.com
  • s-internals.com
  • secure-validation.com
  • system-reports.com
  • xmlstatreports.com


It may download other files. The downloaded file is saved as a file in the Windows Temporary Files folder with a random file name.

The malware may also report the computer's details, such as operating system version and antivirus product to a remote server.

Terminates processes

This trojan monitors running processes and attempts to terminate any process unless its file name contains one of the following substrings:

  • *.tmp
  • csrss.exe
  • DllHost.exe
  • IEUser.exe
  • iexplore.exe
  • mst.exe
  • SearchProtocolHost.exe
  • server.exe
  • spooler.exe
  • un_inst.exe
  • winlogon.exe


It displays a system tray popup similar to the following:



Note that the downloaded malware is not terminated, as its file name has a .tmp extension.

Terminates and/or uninstalls security software

It may attempt to terminate and/or uninstall security software from the following companies:

  • Microsoft (Windows Defender and Security Essentials)
  • Norton
  • Avira
  • AVG
  • E-Set
  • DrWeb
  • Kaspersky
  • Bitdefender
  • McAfee


Displays fake antivirus scanner

When run, the trojan performs a fake scan of the system, and falsely claims that a number of files in the computer are infected with malware. Should users request that it clean the reported infections, it advises them that they need to pay money to register the program and perform the cleaning process.



It displays various windows, system tray pop-ups, and error messages in an attempt to convince the user that their system is infected, and that they should pay to register the fake software. In some cases it greys out the background in an attempt to simulate a UAC message.

















It may also simulate a system crash by displaying error messages such as the following:





Restarts the computer

This trojan occasionally restarts the computer. This may be an attempt to convince the user that the computer is infected with malware.

Blocks access to websites

This trojan may display the following error message in Internet Explorer and randomly block access to websites that the user is attempting to visit. This dialog is displayed to convince the user that the site they are visiting is malicious and that they need to take a recommended action of the attacker's choice in order to be protected:



Modifies Hosts File

The malware appends entries to the file at <system folder>\drivers\etc\hosts in an attempt to redirect requests intended for the domains listed below, to a server controlled by the malware's distributors:

  • bing.com
  • facebook.com
  • google.com
  • yahoo.com


Examples of servers used include the following:

  • 46.4.179.105
  • 173.212.229.164
  • 212.124.122.156


At the time of publication, attempting to visit the main index page on these servers resulted in the display of the page below:



Attempts to visit other locations, including search result pages, may result in a '404 not found' page.



Analysis by David Wood

Last update 15 November 2011

 

TOP

Malware :