Content

FakeAlert-SpyPro.gen.bb!F2374E096933

Type
Trojan
SubType
-
Discovery Date
12/21/2010
Length
321536
Minimum DAT
N/A ( )
Updated DAT
N/A ( )
Minimum Engine
5400.1158
Description Added
12/21/2010
Description Modified
12/21/2010 6:55 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This is a Trojan

File PropertiesProperty Values
McAfee DetectionFakeAlert-SpyPro.gen.bb
Length321536 bytes
MD5f2374e096933713af0f0833fb73cdb64
SHA14522706fce57c061d174557da6c17bf1edb5f3ec


ActivitiesRisk Levels
Enumerates many system files and directories.Low
Displays systray popups that warn of malware related activitiesLow
Adds or modifies Internet Explorer cookiesLow
No digital signature is presentInformational


McAfee ScansScan Detections
McAfee BetaFakeAlert-SpyPro.gen.bb



System Changes

Some path values have been replaced with environment variables as the exact location may vary with different configurations.
e.g.
%WINDIR% = \WINDOWS (Windows 9x/ME/XP/Vista/7), \WINNT (Windows NT/2000)
%PROGRAMFILES% = \Program Files


The following files were analyzed:

xhnfefuaffm.exe

The following registry elements have been created:

  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PHISHINGFILTER\
  • HKEY_CURRENT_USER\SOFTWARE\QNPN7RJV93LF\
The following registry elements have been changed:

  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EXTENSIONS\CMDMAPPING\{92780B25-18CC-41C8-B9BE-3C9C571A8263} = 8193
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EXTENSIONS\CMDMAPPING\NEXTID = 8194
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PHISHINGFILTER\ENABLED = 0
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PHISHINGFILTER\ENABLEDV8 = 0
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\PROXYOVERRIDE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\PROXYSERVER = http=127.0.0.1:59274
  • HKEY_CURRENT_USER\SOFTWARE\QNPN7RJV93LF\ID = 86.21
  • HKEY_CURRENT_USER\SOFTWARE\QNPN7RJV93LF\KNKD = 1
The applications attempted the following network connection(s):

  • 93.158.114.***:80
  • hxxp://softwareea.com/*****

Symptoms

This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore (Windows ME/XP only).

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

Variants

Variants

    N/A

All Information

Overview -

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This is a Trojan

File PropertiesProperty Values
McAfee DetectionFakeAlert-SpyPro.gen.bb
Length321536 bytes
MD5f2374e096933713af0f0833fb73cdb64
SHA14522706fce57c061d174557da6c17bf1edb5f3ec


ActivitiesRisk Levels
Enumerates many system files and directories.Low
Displays systray popups that warn of malware related activitiesLow
Adds or modifies Internet Explorer cookiesLow
No digital signature is presentInformational


McAfee ScansScan Detections
McAfee BetaFakeAlert-SpyPro.gen.bb



System Changes

Some path values have been replaced with environment variables as the exact location may vary with different configurations.
e.g.
%WINDIR% = \WINDOWS (Windows 9x/ME/XP/Vista/7), \WINNT (Windows NT/2000)
%PROGRAMFILES% = \Program Files


The following files were analyzed:

xhnfefuaffm.exe

The following registry elements have been created:

  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PHISHINGFILTER\
  • HKEY_CURRENT_USER\SOFTWARE\QNPN7RJV93LF\
The following registry elements have been changed:

  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EXTENSIONS\CMDMAPPING\{92780B25-18CC-41C8-B9BE-3C9C571A8263} = 8193
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EXTENSIONS\CMDMAPPING\NEXTID = 8194
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PHISHINGFILTER\ENABLED = 0
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PHISHINGFILTER\ENABLEDV8 = 0
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\PROXYOVERRIDE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\PROXYSERVER = http=127.0.0.1:59274
  • HKEY_CURRENT_USER\SOFTWARE\QNPN7RJV93LF\ID = 86.21
  • HKEY_CURRENT_USER\SOFTWARE\QNPN7RJV93LF\KNKD = 1
The applications attempted the following network connection(s):

  • 93.158.114.***:80
  • hxxp://softwareea.com/*****

Symptoms

Symptoms -

This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

Removal -

Removal -

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore (Windows ME/XP only).

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

Variants

Variants -

    N/A