Home / malwarePDF  

TrojanDownloader:Win32/Fakeinit


First posted on 25 February 2010.
Source: SecurityHome

Aliases :

TrojanDownloader:Win32/Fakeinit is also known as Adware/RealAntivirus (Panda), Fake-XPSecCenter (McAfee), Trojan.Zlob (Symantec).

Explanation :

TrojanDownloader:Win32/Fakeinit is a trojan that displays fake warnings of €œmalicious programs and viruses€. It may download a fake scanner that informs the user that they need to pay money to register the software and remove these non-existent threats. TrojanDownloader:Win32/Fakeinit also terminates certain processes, lowers security settings, changes the desktop background, and attempts to download other malware such as Trojan:Win32/Fakeinit and Trojan:Win32/Alureon.CT. Note: Reports of Rogue Antivirus programs have been more prevalent as of late. These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software. Some of these programs, such as Trojan:Win32/Antivirusxp and Program:Win32/FakeRednefed may display product names or logos in an apparently unlawful attempt to impersonate Microsoft products. Use Microsoft Windows Defender, Microsoft Security Essentials, the Windows Live safety scanner, or another up-to-date scanning and removal tool to detect and remove this threat and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.
Top

TrojanDownloader:Win32/Fakeinit is a trojan that displays fake warnings of €œmalicious programs and viruses€. It may download a fake scanner that informs the user that they need to pay money to register the software and remove these non-existent threats. TrojanDownloader:Win32/Fakeinit also terminates certain processes, lowers security settings, changes the desktop background, and attempts to download other malware such as Trojan:Win32/Fakeinit and Trojan:Win32/Alureon.CT. InstallationTrojanDownloader:Win32/Fakeinit copies itself as the following files:

  • <system folder>\smss32.exe
  • <system folder>\winlogon32.exe
    • These file names should not be confused with legitimate Windows files that have similar names ("smss.exe"and "winlogon.exe"). It also creates the following files, which may be detected as Trojan:HTML/Fakeinit: <system folder>\warnings.html
    %AppData%\Microsoft\Internet Explorer\Desktop.htt TrojanDownloader:Win32/Fakeinit makes the following registry changes to ensure that it is run every time Windows starts: Adds value: "smss32.exe"
    With data: "<system folder>\smss32.exe"
    In subkeys: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adds value: "Userinit"
    With data: "<system folder>\winlogon32.exe"
    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. Payload Displays fake warning messagesTrojanDownloader:Win32/Fakeinit periodically displays messages suggesting that the computer is infected and that the user should download tools to remove the problem. These messages may be in the form of message boxes or system tray balloons such as the following: The desktop background is also changed to display the following message: It does so using the Desktop.htt and warnings.html files dropped earlier, and by making the following registry changes: Adds value: "TileWallpaper"
    With data: "0"
    Adds value: "WallpaperStyle"
    With data: "2"
    Adds value: "Wallpaper"
    With data: "%systemRoot%\system32\warnings.html"
    Adds value: "BackupWallpaper"
    With data: "%systemRoot%\web\wallpaper\Bliss.bmp"
    Adds value: "WallpaperFileTime"
    With data: "<8 bytes>"
    Adds value: "WallpaperLocalFileTime"
    With data: "<8 bytes>"
    In subkey: HKCU\Software\Microsoft\Internet Explorer\Desktop\General Adds value: "TileWallpaper"
    With data: "0"
    Adds value: "WallpaperStyle"
    With data: "2"
    Adds value: "Wallpaper"
    With data: "C:\WINDOWS\web\wallpaper\Bliss.bmp"
    In subkey: HKCU\Control Panel\Desktop It prevents the user from changing this background by making the following changes to the registry: Adds value: "NoSetActiveDesktop"
    With data: "1"
    Adds value: "NoChangingWallpaper"
    With data: "1"
    Adds value: "NoActiveDesktopChanges"
    With data: "1"
    In subkeys:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Downloads and executes arbitrary filesTrojanDownloader:Win32/Fakeinit contacts one or more servers from which it may download a number of files. As of this writing, some of the servers used are "for-sunny-se.com" and "winter-smile.com". It saves the downloaded files to locations such as the following:
  • <system folder>\helpers32.dll
  • <system folder>\ES15.exe
  • <system folder>\41.exe
    • At the time of this writing, TrojanDownloader:Win32/Fakeinit downloads two components of fake security software, which are detected as Trojan:Win32/Fakeinit, and a variant of Win32/Alureon, detected as Trojan:Win32/Alureon.CT. It then registers the DLL file, which acts as a Layered Service Provider that may block access to certain Web sites. For more details please refer to the Trojan:Win32/Fakeinit description. Should the user click on the warnings displayed above, TrojanDownloader:Win32/Fakeinit copies the downloaded Fakeinit component to <system folder>\<5 digit random number>.exe and executes it to install the fake security software. The fake security software has been observed to use names such as "Internet Security 2010" and "Security Essentials 2010". Terminates processesTrojanDownloader:Win32/Fakeinit monitors running processes and terminates any process from the list below, displaying the following message box in an attempt to convince the user that their system is infected: acrord32.exe
    advanceddvdplayer.exe
    calc.exe
    chrome.exe
    clonecd.exe
    cmd.exe
    control.exe
    digitaleditions.exe
    excel.exe
    freecell.exe
    fulltiltpoker.exe
    gom.exe
    googleearth.exe
    hrtzzm.exe
    icq.exe
    illustrator.exe
    la.exe
    miranda32.exe
    moviemk.exe
    mplay32.exe
    mplayer2.exe
    mplayerc.exe
    msconfig.exe
    mshearts.exe
    msimn.exe
    msmsgs.exe
    msnmsgr.exe
    mspaint.exe
    msworks.exe
    nero.exe
    neroexpressportable.exe
    nfs.exe
    notepad.exe
    ois.exe
    outlook.exe
    photoshop.exe
    pinball.exe
    pokerstars.exe
    powerdvd.exe
    powerpnt.exe
    powerpoi.exe
    quicktimeplayer.exe
    realplay.exe
    realplayer.exe
    recordingmanager.exe
    regclonecd.exe
    regedit.exe
    rstrui.exe
    rwcrun.exe
    rwiperun.exe
    setup_wm.exe
    shvlzm.exe
    sidebar.exe
    skype.exe
    skypepm.exe
    sndvol32.exe
    sol.exe
    spider.exe
    taskmgr.exe
    thebat.exe
    tvp.exe
    utorrent.exe
    vmware.exe
    winamp.exe
    windowsanytimeupgradeui.exe
    windvd.exe
    winmine.exe
    winrar.exe
    winword.exe
    wmplayer.exe
    word.exe
    wupdmgr.exe Disables Task Manager and Phishing Filter, and lowers computer security settingsTrojanDownloader:Win32/Fakeinit attempts to disable Internet Explorer€™s Phishing Filter by making the following registry changes: Adds value: "Enabled"
    With data: "0"
    Adds value: "EnabledV8"
    With data: "0"
    In subkey: HKCU\Software\Microsoft\Internet Explorer\PhishingFilter Adds value: "EnabledV8"
    With data: "0"
    In subkey: HKLM\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter It attempts to disable Task Manager with the following change: Adds value: "DisableTaskMgr"
    With data: "1"
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System It attempts to place sites used by the particular variant of Win32/Fakeinit into the Trusted Sites Zone: Adds value: "http"
    With data: "2"
    In subkeys:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-security-essentials.com
    HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-security-essentials.com Adds value: "http"
    With data: "2"
    In subkeys:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\get-key-se10.com
    HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\get-key-se10.com Adds value: "http"
    With data: "2"
    In subkeyS:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ download-soft-package.com
    HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ download-soft-package.com Adds value: "Flag"
    With data: "67"
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2

    Analysis by David Wood

    Last update 25 February 2010

     

    TOP

    Malware :