Home / malware Trojan-Dropper:W32/Hoaxer.B
First posted on 08 October 2008.
Source: SecurityHomeAliases :
There are no other names known for Trojan-Dropper:W32/Hoaxer.B.
Explanation :
This type of trojan contains one or more malicious files, which it will secretly install on the system.
right]This malware drops and installs multiple files in the system. The cumulative effect of the malware is to produce a fake infection warning, which aims to frighten the user into purchasing a rogue antivirus program.
Installation
The malware installs a variety of files on the system.
These files are all detected as Trojan-Downloader.Win32.Hoaxer.a:
- %programfiles%PCHealthCenter�.exe
- %programfiles%PCHealthCenter1.exe
- %programfiles%PCHealthCenter2.exe
- %programfiles%PCHealthCenter3.exe
- %programfiles%PCHealthCenter4.exe
- %programfiles%PCHealthCenter5.exe
- %programfiles%PCHealthCenter7.exe
These files are all image files used by the sc.html file:
This file is the fake Windows Security Center warning:
- %programfiles%PCHealthCenter�.gif
- %programfiles%PCHealthCenter1.gif
- %programfiles%PCHealthCenter2.gif
- %programfiles%PCHealthCenter3.gif
- %programfiles%PCHealthCentersc.html
These icons are for links to pornography sites:
- %programfiles%PCHealthCenter1.ico
- %programfiles%PCHealthCenter2.ico
In addition to icons for links, the malware also adds actual links to the megafreeporn website:
- %desktop%QUALITY PORN.url
- %desktop%BEST ZOO PORN.url
These files are essentially duplicates of files which have been previously installed:
- c:x - same file as %programfiles%PCHealthCenter7.ex
- %windir%system32YUR.exe - same file as %programfiles%PCHealthCenter1.exe
- %windir%system32YUR.exe - same file as %programfiles%PCHealthCenter2.exe
- %windir%system32YUR.exe - same file as %programfiles%PCHealthCenter3.exe
- %windir%system32YUR.exe - same file as %programfiles%PCHealthCenter4.exe
- %windir%system321.ico - same as %programfiles%PCHealthCenter1.ico
- %windir%system322.ico - same as %programfiles%PCHealthCenter2.ico
Finally, the malware installs a file which is detected as Fraudtool:W32/SpywarePreventer.A:
- http://first-reason.com/data/x7/[...]/0000005378.exe
Registry
The malware also makes a number of registry changes in order to display the installed files. Sample registry values would be:
- HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
YUR1.exe = C:Windowssystem32YUR1.exe- HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
YUR1.exe = C:Windowssystem32YUR1.exe- HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
YUR2.exe = C:Windowssystem32YUR2.exe- HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
YUR2.exe = C:Windowssystem32YUR2.exe- HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
YUR3.exe = C:Windowssystem32YUR3.exe- HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
YUR3.exe = C:Windowssystem32YUR3.exe- HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
YUR4.exe = C:Windowssystem32YUR4.exe- HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
YUR4.exe = C:Windowssystem32YUR4.exe
Execution
Upon execution, the malware will immediately display the sc.html file, which appears to be a Windows Security Center warning that the system is infected.
The user is asked if they would like to scan and remove the (supposed) threats detected, which is the recommended option. If the user clicks on the "Yes" option in the dialog box, the malware will open this link in the browser:
The page opened contains the product that the malware is promoting.
- http://scanner.vav-x-scanner.com/34/?advid=[...]5378&dsbndbinj&
Last update 08 October 2008
