Home / malwarePDF  

Trojan.FakeAlert.ZV


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.FakeAlert.ZV is also known as Hoax.Win32.Renos.eas Hoax.Win32.Agent.ej Misc/FakeAlert.

Explanation :

In the infection process an exectuable drops a dll to %windir%System32zgyhw.dll. This dll is then registered to load at startup using the following registry keys:

HKLMSoftwareClassesCLSID{2f199d0e-f3e7-41a7-a060-816c24cceea0}InProcServer32(Default)
"C:WINNTsystem32zgyhw.dll"
HKLMSoftwareClassesCLSID{2f199d0e-f3e7-41a7-a060-816c24cceea0}InProcServer32ThreadingModel
"Apartment"

Another registry key is used to add an add/remove entry. Using this entry only removes the executable that dropped zgyhw.dll, which, by this point, is useless anyway.

HKLMSoftwareMicrosoftWindowsCurrentVersionUninstallWindows Safety AlertDisplayName
"Windows Safety Alert"

Last update 21 November 2011

 

TOP