Home / malware Trojan.FakeAV.VE
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Trojan.FakeAV.VE.
Explanation :
This is a downloader of the Antivirus Pro 2010 fake-alert malware which get installed on the system in two steps. First it will try to download from few locations (randomly named) a file saved as "%user_documents%Application Datalizkavd.exe". The new executable will attempt to connect, using a name and a password, to new locations also (randomly named) and download a password protected archive. This archive actually contains the fakealert malware (Tojan.FakeAV.VH) which will be installed in the %Programs%AntivirusPro_2010 folder.
When executed, the downloader will copy itself to:
%user_documents%application datasvcst.exe
%user_documents%application dataseres.exe, these will be started together and will protect each other from being terminated by the user using two named mutex.
Also, the above two copies are registered at the system startup:
[HKCUSoftwareMicrosoftWindowsCurrentVersionRun]
svchost=%user_documents%application datasvcst.exe
mserv= %user_documents%application dataseres.exe
It will lower security settings modifying folowing registry keys:
[HKCUSoftwareMicrosoftInternet ExplorerDownload]
CheckExeSignatures = no
RunInvalidSignatures = 0x1
[HKUSoftwareMicrosoftWindowsCurrentVersionPoliciesAssociations
LowRiskFileTypes = zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mov;.mp3;.wav
After setting the aboves the malware will try to download another executable from:
hxxp://ertanue5skayert.com/s1fb0Uv5MS8X[removed]
hxxp://abumaso3thkamid.com/nQ1Zx0E5X8[removed] ...
checking when the download is completed by querying Program FilesAntivirusPro_2010AntivirusPro_2010.exeLast update 21 November 2011
