Home / malware

PDF

Trojan.Downloader.FakeAV.BD

First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.Downloader.FakeAV.BD is also known as Trojan:Win32/Fakeinit, Trojan-Downloader.Win32.FraudLoad.vohb.

Explanation :

This is a small trojan, possibly downloaded by other malware or sent by spam email and it usualy resides in
%SYSTEM%[random].exe

Some websites redirects will appear since it adds the following lines to the hosts file:
82.98.xxx.xx browser-security.microsoft.com
82.98.xxx.xx [xxx]-click-scanner.info
82.98.xxx.xx [xxx]virus-xp-pro-2009.com
82.98.xxx.xx microsoft.infosecuritycenter.com
82.98.xxx.xx microsoft.softwaresecurityhelp.com
82.98.xxx.xx [xxx]nenotifyq.net
82.98.xxx.xx [xxx]virusxp-pro-2009.com
82.98.xxx.xx microsoft.browser-security-center.com

The malware also connects to a remote addres, hard-coded into the binary file
http://85.12.xx.xx/go/?cmp=hstwtch&ver=XXX&d=XXX
and set HKEY_LOCAL_MACHINESOFTWARELimited to value 1. If this fails, it would try and remove the registry key.

Last update 21 November 2011

 

TOP