Trojan.FakeAV.BXB
SYMPTOMS: Annoying windows and tray pop-ups saying that the system is infected, requesting to register the programto get protection. TECHNICAL DESCRIPTION: When first run the trojan copies itself to %UserProfile%\Local Settings\Application Data\av.exe and launches thiscopy which will delete the original file. A mutex will prevent multiple executions. It will add/modify '.exe' files related registry keys to ensure that it will be reactivated if, somehow, was closed; any try of the user to start an executable will create another instance of the trojan: HKCU\.exe o (default) -> secfile HKCU\.exe\shell\open\command o (default) -> "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %* The windows firewall settings will be lowered: HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile o EnableFirewall -> 0x00000000 o DoNotAllowExceptions -> 0x00000000 o DisableNotifications -> 0x00000001 HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile o EnableFirewall -> 0x00000000 o DoNotAllowExceptions -> 0x00000000 o DisableNotifications -> 0x00000001 Internet explorer StartMenu entry will be also changed: HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command o (default) -> "%UserProfile%\Local Settings\Application Data\av.exe" /START "%Program Files%\Internet Explorer\iexplore.exe" The trojan will try to connect to following sites: winlive-care21.com pcguard2010.com one-care-antivirus.com pcwin-live.com tulibonerduma.com live-pc-care.com windows-live-care.com winlive-care2010.com onecare-antivirus2010.com win-live-care2010.com live-pccare.com Removal instructions: Please let BitDefender disinfect your files.ANALYZED BY: Ovidiu Visoiu, virus researcher |
