Home / malware Trojan.FakeAV.BXB
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Trojan.FakeAV.BXB.
Explanation :
When first run the trojan copies itself to %UserProfile%Local SettingsApplication Dataav.exe and launches this
copy which will delete the original file. A mutex will prevent multiple executions.
It will add/modify '.exe' files related registry keys to ensure that it will be reactivated if, somehow, was closed; any try of the user to start an executable will create another instance of the trojan:
HKCU.exe
o (default) -> secfile
HKCU.exeshellopencommand
o (default) -> "%UserProfile%Local SettingsApplication Dataav.exe" /START "%1" %*
The windows firewall settings will be lowered:
HKLMSYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyDomainProfile
o EnableFirewall -> 0x00000000
o DoNotAllowExceptions -> 0x00000000
o DisableNotifications -> 0x00000001
HKLMSYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfile
o EnableFirewall -> 0x00000000
o DoNotAllowExceptions -> 0x00000000
o DisableNotifications -> 0x00000001
Internet explorer StartMenu entry will be also changed:
HKLMSOFTWAREClientsStartMenuInternetIEXPLORE.EXEshellopencommand
o (default) -> "%UserProfile%Local SettingsApplication Dataav.exe" /START "%Program Files%Internet Exploreriexplore.exe"
The trojan will try to connect to following sites:
winlive-care21.com
pcguard2010.com
one-care-antivirus.com
pcwin-live.com
tulibonerduma.com
live-pc-care.com
windows-live-care.com
winlive-care2010.com
onecare-antivirus2010.com
win-live-care2010.com
live-pccare.comLast update 21 November 2011
