Home / malwarePDF  

TrojanDropper:Win32/Insebro.A


First posted on 01 May 2009.
Source: SecurityHome

Aliases :

TrojanDropper:Win32/Insebro.A is also known as Also Known As:WinPC Defender (other), Win-Trojan/Fraudload.70656.AM (AhnLab), Trojan.Agent.AMJV (BitDefender), Win32/FakeAVDI.GD (CA), Trojan.Downloader.FraudLoad-5 (Clam AV), Win32/Adware.WinPCDefender (ESET), Trojan-Downloader.Win32.FraudLoad.dxa (Kaspersky), Downloader-BON (McAfee), Win32/Antivirus2008.CZC (Norman), Mal/EncPk-HP (Sophos), Trojan.Fakeavalert (Symantec), XP Police 2009 (other), PC Defender (other), Win32/Adware.XPPoliceAntivirus (ESET).

Explanation :

TrojanDropper:Win32/Insebro.A is a trojan that downloads and executes arbitrary files. In the wild it has been observed downloading and installing rogue security software, such as Win32/FakeRean, onto affected machines.

Special Note:

Reports of Rogue Antivirus programs have been more prevalent as of late. These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software. Some of these programs may display product names or logos in an apparently unlawful attempt to impersonate Microsoft products.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following files:
    %windir%ieocx.dll (detected as Trojan:Win32/Insebro.C)
  • The presence of the following registry modifications:
    • Adds value: "scui.cpl"
    With data: "no"
    To subkey: HKCUControl Paneldon't load Adds value: "AntiVirusDisableNotify"
    With data: "1"
    To subkey: HKLMSOFTWAREMicrosoftSecurity Center
    Adds value: "Minimize"
    With data: "0"
    To subkey: HKCUSoftwareWinPC Defender

    TrojanDropper:Win32/Insebro.A is a trojan that downloads and executes arbitrary files. In the wild it has been observed downloading and installing rogue security software, such as Win32/FakeRean, onto affected machines.

    Installation
    TrojanDropper:Win32/Insebro.A runs from where it was executed. However, it makes several modifications to an affected system. It drops this file:
  • %windir%ieocx.dll (detected as Trojan:Win32/Insebro.C)
    • and executes the following command in order to register this DLL:
  • "regsvr32.exe /s %windir%ieocx.dll"
    • It also makes a number of modifications to the registry:Adds value: "scui.cpl"
    With data: "no"
    To subkey: HKCUControl Paneldon't load Adds value: "AntiVirusDisableNotify"
    With data: "1"
    To subkey: HKLMSOFTWAREMicrosoftSecurity Center
    Adds value: "Minimize"
    With data: "0"
    To subkey: HKCUSoftwareWinPC Defender

    Payload
    Downloads and Executes Arbitrary FilesTrojanDropper:Win32/Insebro.A attempts to download execute files from remote sites. In the wild, it has been observed contacting the following domains for this purpose:
  • winpcdown10.com
  • tubeloyal.com
    • TrojanDropper:Win32/Insebro.A has also been observed downloading and installing variants of Win32/Alureon and Win32/FakeRean on affected machines in this manner.

    Analysis by Dan Kurc

    Last update 01 May 2009

     

    TOP

    Malware :

    Family: