My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.Regpat.A

LOW
VERY LOW
typically 4-5 KBytes packed (UPX), 20-40 KBytes unpacked
(Win32/RegPat.A!Trojan Troj/RegPat-A Application.Riskware.Tool.Regpatch.A Trojan.Small.Cr Tool.Regpatch W32/SillyTrojan.BI)

Symptoms

The malware inserts various keys into the registry. As the keys are encrypted into the overlay, there is no common key that would be inserted in all variants of the malware (there are hundreds of it). Some examples would be:

[HKEY_CURRENT_USER\Software\Mediachance\Multimedia Builder\Reg]
"Name"="Anthrax / FiGHTiNG FOR FUN"
...

[HKEY_LOCAL_MACHINE\Software\AY Labs\Memorizer]
"name"="Vepergen"
...

[HKEY_LOCAL_MACHINE\SOFTWARE\EZSoftMagic\MP3Joiner\SN]
"name"="RepLic!^FiGHTING FoR FuN"
...

[HKEY_CURRENT_USER\Software\Alcohol Soft\Alcohol 52%\Info]
"UserName"="Anthrax (Fuck To Danyz/Corsica)"
"Company"="FiGHTiNG FOR FUN"
...

[HKEY_LOCAL_MACHINE\SOFTWARE\ACD Systems\ACDSee\60]
"LicenseNumber"="Don't Forget, We're among u =)"
"UserName"="RepLic!^FiGHTiNG FoR FuN"
...

One common string in many variants is 'FiGHTiNG FoR FuN'. The malware is typically used to insert various registry keys, like serial numbers for cracked software.

In some cases there might be a C:\ParaTemp.reg file (when the malware executes with a particular error).

Removal instructions:

Please let BitDefender delete your files.

Analyzed By

SАndor LUKаCS, BitDefender virus researcher

Technical Description:

The malware contains a Windows registry (.REG) file encrypted in the overlay of the executable. When run, the malware extracts this file into C:\ParaTemp.reg, then inserts into the system registry using the command 'regedit -s C:\ParaTemp.reg'.

When succesfully executed, the malware displays a windows titled 'Registry Patcher - Coded by ParaBytes', with the message 'All Worked. Registry patched.' After this the C:\ParaTemp.reg is deleted.

The malware contains a checksum verification for the .REG file. If some error occours, or the attached .REG file has been changed, the displayed message is 'Bad Patch Data. Please contact this file supplyer.'

The malware has no other payloads.