Trojan.Downloader.FakeAV.BD

( Trojan:Win32/Fakeinit, Trojan-Downloader.Win32.FraudLoad.vohb )

SYMPTOMS:

At most you will notice increased network activity and some websites are being redirected.

TECHNICAL DESCRIPTION:

This is a small trojan, possibly downloaded by other malware or sent by spam email and it usualy resides in
     %SYSTEM%\[random].exe

Some websites redirects will appear since it adds the following lines to the hosts file:
     82.98.xxx.xx    browser-security.microsoft.com
     82.98.xxx.xx    [xxx]-click-scanner.info
     82.98.xxx.xx    [xxx]virus-xp-pro-2009.com
     82.98.xxx.xx    microsoft.infosecuritycenter.com
     82.98.xxx.xx    microsoft.softwaresecurityhelp.com
     82.98.xxx.xx    [xxx]nenotifyq.net
     82.98.xxx.xx    [xxx]virusxp-pro-2009.com
     82.98.xxx.xx    microsoft.browser-security-center.com

The malware also connects to a remote addres, hard-coded into the binary file
     http://85.12.xx.xx/go/?cmp=hstwtch&ver=XXX&d=XXX
and set HKEY_LOCAL_MACHINE\SOFTWARE\ZLimited to value 1. If this fails, it would try and remove the registry key.

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

Stefan Catalin Hanu, virus researcher