Trojan.FakeAV.BXB
LOW
MEDIUM
180KB
()
Symptoms
Annoying windows and tray pop-ups saying that the system is infected, requesting to register the program
to get protection.
Removal instructions:
Please let BitDefender disinfect your files.
Analyzed By
Ovidiu Visoiu, virus researcher
Technical Description:
When first run the trojan copies itself to %UserProfile%\Local Settings\Application Data\av.exe and launches this
copy which will delete the original file. A mutex will prevent multiple executions.
It will add/modify '.exe' files related registry keys to ensure that it will be reactivated if, somehow, was closed; any try of the user to start an executable will create another instance of the trojan:
HKCU\.exe
o (default) -> secfile
HKCU\.exe\shell\open\command
o (default) -> "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
The windows firewall settings will be lowered:
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
o EnableFirewall -> 0x00000000
o DoNotAllowExceptions -> 0x00000000
o DisableNotifications -> 0x00000001
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
o EnableFirewall -> 0x00000000
o DoNotAllowExceptions -> 0x00000000
o DisableNotifications -> 0x00000001
Internet explorer StartMenu entry will be also changed:
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command
o (default) -> "%UserProfile%\Local Settings\Application Data\av.exe" /START "%Program Files%\Internet Explorer\iexplore.exe"
The trojan will try to connect to following sites:
winlive-care21.com
pcguard2010.com
one-care-antivirus.com
pcwin-live.com
tulibonerduma.com
live-pc-care.com
windows-live-care.com
winlive-care2010.com
onecare-antivirus2010.com
win-live-care2010.com
live-pccare.com
SHARE
THIS ON