Home / malwarePDF  

Trojan-Downloader:W32/Small.AAFH


First posted on 10 September 2008.
Source: SecurityHome

Aliases :

There are no other names known for Trojan-Downloader:W32/Small.AAFH.

Explanation :

This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.

right]The purpose of this malware is to spook users into believing that their system is riddled with malware. The frightened user would then be asked to buy a rogue antispyware program to deal with the supposed problem.

This malware arrives as a link in an email. To be infected, the user must click on the link, then download and run or install the malware. It can also be downloaded from a number of websites, such as:

http://neonbible.de/[Removed]/update.exe
http://www.intertopo.be/[Removed]/update.exe
http://www.dennis-luis.de/[Removed]/update.exe
http://www.aouq22.dsl.pipex.com/[Removed]/update.exe

Once installed, the malware will use a variety of tricks to alarm the user into thinking the system is infected with (other) malware. These tricks involve: changing the wallpaper to a 'Spyware Infection warning' wallpaper; changing the user's screensaver into a screensaver which looks like the 'blue screen of death'; and by displaying fake results from a fake system scan done by the trial version of a rogue antispyware program (detected as Rogue:W32/AntivirusXP2008.E) which was also secretly installed onto the system during the installation.

Each of these tricks is designed to persuade the user to buy the full, paid version of the rogue antispyware program. The trial version of the rogue antispyware program also includes details on how to purchase the full version.

This malware requires user action in order to be installed. Once installed, the tricky thing is that it removes all the current System Restore points in the system and creates a new one where it is already included. This means that rolling back to a previous System Restore point will not remove the malware.

Upon installation into the system, the wallpaper will be changed to this:


Leaving the system idle for 10 minutes brings up a screensaver which appears to be a 'blue screen of death' similar to this one:


When Rogue:W32/AntivirusXP2008.E executes, it will show this window:

Last update 10 September 2008

 

TOP

Malware :

Family: