SecurityHome.eu Trojan.FakeAlert.ZV

Home / malware PDF

Trojan.FakeAlert.ZV

First posted on 21 November 2011.
Source: BitDefender
Aliases :
Trojan.FakeAlert.ZV is also known as Hoax.Win32.Renos.eas Hoax.Win32.Agent.ej Misc/FakeAlert.
Explanation :
In the infection process an exectuable drops a dll to %windir%System32zgyhw.dll. This dll is then registered to load at startup using the following registry keys:

HKLMSoftwareClassesCLSID{2f199d0e-f3e7-41a7-a060-816c24cceea0}InProcServer32(Default)
"C:WINNTsystem32zgyhw.dll"
HKLMSoftwareClassesCLSID{2f199d0e-f3e7-41a7-a060-816c24cceea0}InProcServer32ThreadingModel
"Apartment"

Another registry key is used to add an add/remove entry. Using this entry only removes the executable that dropped zgyhw.dll, which, by this point, is useless anyway.

HKLMSoftwareMicrosoftWindowsCurrentVersionUninstallWindows Safety AlertDisplayName
"Windows Safety Alert"
Last update 21 November 2011

TOP

Malware :

RATDispenser
whispergate
Borat RAT
Trojanized X_Trader
BlackLotus

Last 20