McAfee > Theat Center > Virus Detail Page

Overview

Characteristics

-----Updated on Sep 28 , 2011-----------

Aliases -

• NOD32 - Win32/RogueAV.J
• Ikarus – AdvHeur
• AntiVir - TR/Crypt.XPACK.Gen3
• BitDefender - Trojan.Generic.6674243

Upon execution, the Trojan connects to the IP address "67.213.[removed]" through a remote port 80 to download other malicious files.

The following files have been added to the system and made hidden.

• %AppData%\ygsltrwhjx\SmartGear[randomcharacters].exe
• %AppData%\ygsltrwhjx\[randomcharacters].exe
• %AppData%\ygsltrwhjx\FRed32.dll
• %AppData%\ygsltrwhjx\spoof.avi
• %AppData%\dbcfg.cmd

The following registry keys have been added to the system.

• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\zhkuradtymk.DocHostUIHandler

The following registry values have been added to the system.

• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "zhkuradtymk.DocHostUIHandler"
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "%SystemDrive%\ZHKURA~1.EXE"
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler"
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\zhkuradtymk.DocHostUIHandler\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}"
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\zhkuradtymk.DocHostUIHandler\ = "Implements DocHostUIHandler"
• [HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Run]
  CreoLab = "%AppData%\ygsltrwhjx\[randomcharacters].exe"

The Above mentioned registry entry confirms that the Trojan executes upon every reboot.

The applications attempted the following network connection(s).

• [removed]scanfirst.com
• [removed]nowbestcodec.com
• 95.211.[removed]

[Note: C:\Documents and Settings\All Users\Application Data is %AppData%%,%SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

-------------------------------

Upon execution, the trojan creates a folder and drop the following files.
           %UserProfile%\Application Data\bdc63e5\PCbdc6.exe.

Note:
%UserProfile% is a variable location and refers to the user's profile folder.

It modifies Host file

It modifies the following registry entries

• HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes
• HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• PC Live Guard = %userprofile%\Application Data\bdc63e5\PCbdc6.exe" /s /d

So that it will start on reboot.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntispywarXP2009.exe
• "Debugger" = svchost.exe

  This modification is to  prevent specific system tools from running.

It may contact the following sites:

update2.pclive[removed].com
mysecurity[removed].com

Symptoms

• This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Method of Infection

Trojans do not self-replicate. They often arrive as a desirable or intriguing file and conceal their true nature. Common ways to receive a trojan are through newsgroup postings, IRC, peer-to-peer networks, spam, etc.

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

Variants

Variants

N/A

All Information

Overview -

This is a detection for a trojan that displays misleading fake alerts to entice the user into buying a product to "repair" malware problems. This trojan may masquerade its malicious behavior, and victims are likely to have installed it thinking it is an innocent screensaver program.

Characteristics

Characteristics -

-----Updated on Sep 28 , 2011-----------

Aliases -

• NOD32 - Win32/RogueAV.J
• Ikarus – AdvHeur
• AntiVir - TR/Crypt.XPACK.Gen3
• BitDefender - Trojan.Generic.6674243

Upon execution, the Trojan connects to the IP address "67.213.[removed]" through a remote port 80 to download other malicious files.

The following files have been added to the system and made hidden.

• %AppData%\ygsltrwhjx\SmartGear[randomcharacters].exe
• %AppData%\ygsltrwhjx\[randomcharacters].exe
• %AppData%\ygsltrwhjx\FRed32.dll
• %AppData%\ygsltrwhjx\spoof.avi
• %AppData%\dbcfg.cmd

The following registry keys have been added to the system.

• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\zhkuradtymk.DocHostUIHandler

The following registry values have been added to the system.

• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "zhkuradtymk.DocHostUIHandler"
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "%SystemDrive%\ZHKURA~1.EXE"
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler"
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\zhkuradtymk.DocHostUIHandler\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}"
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\zhkuradtymk.DocHostUIHandler\ = "Implements DocHostUIHandler"
• [HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Run]
  CreoLab = "%AppData%\ygsltrwhjx\[randomcharacters].exe"

The Above mentioned registry entry confirms that the Trojan executes upon every reboot.

The applications attempted the following network connection(s).

• [removed]scanfirst.com
• [removed]nowbestcodec.com
• 95.211.[removed]

[Note: C:\Documents and Settings\All Users\Application Data is %AppData%%,%SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

-------------------------------

Upon execution, the trojan creates a folder and drop the following files.
           %UserProfile%\Application Data\bdc63e5\PCbdc6.exe.

Note:
%UserProfile% is a variable location and refers to the user's profile folder.

It modifies Host file

It modifies the following registry entries

• HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes
• HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• PC Live Guard = %userprofile%\Application Data\bdc63e5\PCbdc6.exe" /s /d

So that it will start on reboot.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntispywarXP2009.exe
• "Debugger" = svchost.exe

  This modification is to  prevent specific system tools from running.

It may contact the following sites:

update2.pclive[removed].com
mysecurity[removed].com

Symptoms

Symptoms -

• This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They often arrive as a desirable or intriguing file and conceal their true nature. Common ways to receive a trojan are through newsgroup postings, IRC, peer-to-peer networks, spam, etc.

Removal -

Removal -

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

Variants

Variants -

N/A