Home / malwarePDF  

TrojanDownloader:Win32/FakeVimes


First posted on 18 May 2009.
Source: SecurityHome

Aliases :

There are no other names known for TrojanDownloader:Win32/FakeVimes.

Explanation :

TrojanDownloader:Win32/FakeVimes is a downloading component of Win32/FakeVimes - a family of programs that claims to scan for malware and displays fake warnings of “malicious programs and viruses”. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats.

Special Note:

Reports of Rogue Antivirus programs have been more prevalent as of late. These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software. Some of these programs may display product names or logos in an apparently unlawful attempt to impersonate Microsoft products. Use Microsoft Windows Defender, the Windows Live safety scanner (http://onecare.live.com/site/en-us/default.htm), or another up-to-date scanning and removal tool to detect and remove these threats and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.

Symptoms
System ChangesSymptoms vary among different distributions of TrojanDownloader:Win32/FakeVimes, however, the presence of the following system changes (or similar) may indicate the presence of this program:

  • Display of the following images/dialogs, or similar (for example):


  • TrojanDownloader:Win32/FakeVimes is a downloading component of Win32/FakeVimes - a family of programs that claims to scan for malware and displays fake warnings of “malicious programs and viruses”. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats.

    Installation
    Members of the Win32/FakeVimes family use various filenames and system modifications that can differ from one variant to the next. Win32/FakeVimes has been distributed with several different names. The user interface and some other details vary to reflect each variant’s individual branding. When executed TrojanDownloader:Win32/FakeVimes copies itself using a variable file name to the %temp% folder and sets the following registry entry to ensure its execution on Windows start.Adds value: <variable value>
    With data: <%temp%TrojanDownloader:Win32/FakeVimes executable>To subkey: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunOnce

    Payload
    Downloads and executes arbitrary filesTrojanDownloader:Win32/FakeVimes has been observed downloading other components of Win32/FakeVimes in the wild. These components may be detected as Trojan:Win32/FakeVimes. While downloading and installing these additional components, TrojanDownloader:Win32/FakeVimes may display one of the following messages, for example: The downloaded file is saved to the following location with a filename that differs according to distribution:
    C:Documents and SettingsAll UsersApplication Data<random value><Rogue Name.exe>For example:
    C:Documents and SettingsAll UsersApplication Dataff3ce05UA2009.exe Modifies hosts fileWin32/Fakevimes modifies the Windows Hosts file. The local Hosts file overrides the DNS resolution of a web site URL to a particular IP address. Malicious software may make modifications to the Hosts file in order to redirect specified URLs to different IP addresses. Malware often modifies an affected machine's hosts file in order to stop users from accessing websites associated with particular security-related applications (such as antivirus for example). Win32/Fakevimes may modify the Hosts file to redirect search domains to a different site, as in the following examples: 206.53.61.77 search.msn.com
    206.53.61.77 search.live.com
    206.53.61.77 google.com
    206.53.61.77 search.yahoo.com Modifies System SettingsAttempts to disable UAC (User Account Control) prompts by modifying the following registry entry:HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem Contacts remote hostTrojanDownloader:Win32/FakeVimes reports information about the settings of affected machines and successful installations to a remote host. In the wild it has been observed contacting the following host for this purpose: updvmfnow.cnAdditional InformationFor more information, please see the Trojan:Win32/FakeVimes description elsewhere in the encyclopedia.


    Analysis by Ray Roberts

    Last update 18 May 2009

     

    TOP