Home / malwarePDF  

XPHomeSecurity2012


First posted on 12 July 2011.
Source: SecurityHome

Aliases :

There are no other names known for XPHomeSecurity2012.

Explanation :

"XP Home Security 2012" is a brand of rogue malware detected as Rogue:Win32/FakeRean. It displays fake alerts for non-existent threats, and prevents certain executable files from running.
Top

"XP Home Security 2012" is a brand of rogue malware detected as Rogue:Win32/FakeRean.



Installation

"XP Home Security 2012" may drop the following file:

  • %AppData%\ddh.exe


It may also create the following registry entries:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: <random numbers>
With data: "%AppData%\ddh.exe"

Recent variants of Win32/FakeRean, including "XP Home Security 2012", make a number of changes to the registry to ensure that FakeRean's executable is run every time a file with an '.exe' file extension is run. Win32/FakeRean may make the following registry modifications for this purpose:

In subkey: HKCU\Software\Classes\.exe
Sets value: "(Default)"
With data: "secfile"

In subkey: HKCU\Software\Classes\.exe
Sets value: "Content Type"
With data: "application/x-msdownload"

In subkey: HKCU\Software\Classes\.exe\DefaultIcon
Sets value: "(Default)"
With data: "%1"

In subkey: HKCU\Software\Classes\.exe\shell\open\command
Sets value: "(Default)"
With data: "%AppData%\av.exe" /START "%1" %*"

In subkey: HKCU\Software\Classes\.exe\shell\open\command
Sets value: "(Default)"
With data: "%AppData%\av.exe" /START "%1" %*"

In subkey: HKCU\Software\Classes\.exe\shell\open\command
Sets value: "IsolatedCommand"
With data: ""%1" %*"

In subkey: HKCU\Software\Classes\.exe\shell\runas\command
Sets value: "(Default)"
With data: ""%1" %*"

In subkey: HKCU\Software\Classes\.exe\shell\runas\command
Sets value: "IsolatedCommand"
With data: ""%1" %*"

In subkey: HKCU\Software\Classes\.exe\shell\start\command
Sets value: "(Default)"
With data: ""%1" %*"

In subkey: HKCU\Software\Classes\.exe\shell\start\command
Sets value: "IsolatedCommand"
With data: ""%1" %*"

In subkey: HKCU\Software\Classes\secfile
Sets value: "(Default)"
With data: "Application"

In subkey: HKCU\Software\Classes\secfile
Sets value: "Content Type"
With data: "application/x-msdownload"

In subkey: HKCU\Software\Classes\secfile\DefaultIcon
Sets value: "(Default)"
With data: "%1"

In subkey: HKCU\Software\Classes\secfile\shell\open\command
Sets value: "(Default)"
With data: ""%AppData%\av.exe" /START "%1" %*"

In subkey: HKCU\Software\Classes\secfile\shell\open\command
Sets value: "IsolatedCommand"
With data: ""%1" %*"

In subkey: HKCU\Software\Classes\secfile\shell\runas\command
Sets value: "(Default)"
With data: ""%1" %*"

In subkey: HKCU\Software\Classes\secfile\shell\runas\command
Sets value: "IsolatedCommand"
With data: ""%1" %*"

In subkey: HKCU\Software\Classes\secfile\shell\start\command
Sets value: "(Default)"
With data: ""%1" %*"

In subkey: HKCU\Software\Classes\secfile\shell\start\command
Sets value: "IsolatedCommand"
With data: ""%1" %*"

When an executable file is executed, it intercepts it and reports it as being infected, as in the following:





Payload

Displays fake alerts for non-existent threats
"XP Home Security 2012" displays the following fake alerts:













Analysis by Francis Allan Tan Seng

Last update 12 July 2011

 

TOP

Malware :