VBS/TrojanDownloader.FakeAlert [Threat Name] go to Threat

VBS/TrojanDownloader.FakeAlert.A [Threat Variant Name]

Category trojan
Size 2203 B
Detection created Jul 26, 2010
Detection database version 5314
Aliases Trojan-Downloader.VBS.Agent.zo (Kaspersky)
  Trojan.Malcol (Symantec)
  VBS:Agent-EZ (Avast)
Short description

VBS/TrojanDownloader.FakeAlert.A is a trojan which tries to download other malware from the Internet.

Installation

The trojan does not create any copies of itself.


The trojan is usually a part of other malware with name BAT/TrojanDownloader.FakeAlert.A .


The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Security Center]
    • "FirewallDisableNotify"= 1
    • "UpdatesDisableNotify" = 1
    • "AntiVirusDisableNotify" = 1
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Security Center]
    • "FirewallDisableNotify" = 1
    • "UpdatesDisableNotify" = 1
    • "AntiVirusDisableNotify" = 1
  • [HKEY_CURRENT_USER\­SOFTWARE\­Policies\­Microsoft\­WindowsFirewall\­DomainProfile]
    • "EnableFirewall" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Policies\­Microsoft\­WindowsFirewall\­DomainProfile]
    • "EnableFirewall" = 0
  • [HKEY_CURRENT_USER\­SOFTWARE\­Policies\­Microsoft\­WindowsFirewall\­StandardProfile]
    • "EnableFirewall" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Policies\­Microsoft\­WindowsFirewall\­StandardProfile]
    • "EnableFirewall" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NoClose" = 1
    • "NoLogoff" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­SystemRestore]
    • "DisableSR" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services]
    • "sr" = 4
Other information

The trojan contains a list of (2) URLs. It tries to download several files from the addresses.


These are stored in the following locations:

  • c:\­309463.exe (Win32/Adware.AntivirusPlatinum.A, 757637 B)
  • c:\­049256.exe (BAT/KillFiles.NCX, 24064 B)

The files are then executed. The HTTP protocol is used in the communication.


Please enable Javascript to ensure correct displaying of this content and refresh this page.