Home / malwarePDF  

Trojan:Win32/Fakecorr


First posted on 24 March 2009.
Source: SecurityHome

Aliases :

Trojan:Win32/Fakecorr is also known as Also Known As:Win32/TrojanDownloader.FakeAlert.AAR (ESET).

Explanation :

Trojan:Win32/Fakecorr is a trojan that encrypts documents and other popular file types, and encourages users to purchase a fake recovery application in order to decrypt the encrypted files. In the wild, this trojan has been observed being downloaded and installed by the Win32/Vundo family.


Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following file:
    <system folder>fpfstb.dll
  • The presence of the following registry modifications:
    Sets value: "AppInit_DLLs"
    With data: "<system folder>fpfstb.dll"
    To subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWindows
  • The display of the following message:
    "Windows detected that some of your MS Office and media files are corrupted. Click here to download and install recommended file repair application."


    • Trojan:Win32/Fakecorr is a trojan that encrypts documents and other popular file types, and encourages users to purchase a fake recovery application in order to decrypt the encrypted files. In the wild, this trojan has been observed being downloaded and installed by the Win32/Vundo family.

    Installation
    This trojan is installed by variants of the Win32/Vundo family. It may be installed to the following location:
  • <system folder>fpfstb.dll
    • Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. Once installed, the trojan searches for the presence of the following processes:
  • smss.exe
  • csrss.exe
  • winlogon.exe
    • If these processes are not running, the malware exists. It makes the following registry modification to ensure that the trojan's DLL is loaded:Sets value: "AppInit_DLLs"
    With data: "<system folder>fpfstb.dll"
    To subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWindows It also makes the following registry modification, which may be used by the malware as a marker, for example:Adds value: "is_installed" (this value may vary, other examples include "core_installed" and "id")
    With data: "03 00 00 00 00 00 00 00"
    To subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWOWkeyboard

    Payload
    Encrypts FilesTrojan:Win32/Fakecorr creates a thread in "explorer.exe" that looks for files to encrypt that use the following extensions:doc
    docm
    docx
    dotm
    dotx
    jpeg
    jpg
    mdb
    mp3
    pdf
    png
    potm
    potx
    ppam
    ppsm
    ppsx
    ppt
    pptm
    pptx
    pst
    wma
    xlam
    xls
    xlsb
    xlsm
    xlsx
    xltm
    xltx After a few minutes it displays a fake security alert, with the title "Windows File Protection" that reads:"Windows detected that some of your MS Office and media files are corrupted. Click here to download and install recommended file repair application." Upon clicking users are directed to 'filefixpro.com' and encouraged to download a program that purports to 'fix' affected files for a fee. This program uses the filename "ffx2009setup.exe", and is detected as Program:Win32/Fakecorr.Additional InformationThis trojan may also display the following message:

    Analysis by Patrik Vicol

    Last update 24 March 2009

     

    TOP

    Malware :