Home / malware Rogue:VBS/FakePAV
First posted on 21 February 2014.
Source: MicrosoftAliases :
There are no other names known for Rogue:VBS/FakePAV.
Explanation :
Threat behavior
This threat is a malicious VBE file with encoded VBScript that is used to download a copy of the FakePAV family.
When run, this threat tries to connect to a server and download a file. The name of the server and the file to is hardcoded into the threat, and differs between samples. We have seen it use the following URLs:
- http://9aad47979865a49c8dae-7e5e590511867516e679d8131e8f65d1.r13.cf2.rackcdn.com/b661d395113bc6c61ef19ba9062e6352.exe
- http://a13a18e1774547ca2dc5-a941e09a8ebc3a85367c1ba4d545bd67.r11.cf2.rackcdn.com/7b46a66b3ce37eb916e5e89b76968f48.exe
- http://a13a18e1774547ca2dc5-a941e09a8ebc3a85367c1ba4d545bd67.r11.cf2.rackcdn.com/c9b969ce1676e613b12357501d9aa80a.exe
- http://d3d2366d8762287e8257-19dc26c51ead3b4fd8eb395f59b15bcb.r59.cf2.rackcdn.com/setup.exe
We have seen the threat download the file to the %TEMP% folder with the file name file.exe or Setup.exe.vbe.
Additional information
This threat uses the document object model (DOM) controls MSXML2.XMLHTTP and ADODB.Stream for communication and file transfer purposes when downloading the .exe file.
Analysis by Wei Li
Symptoms
Alerts from your security software may be the only symptom.
Also see the FakePAV description for information about the software that this threat downloads onto your PC.
Last update 21 February 2014
