Win32/AntiAV [Threat Name] go to Threat

Win32/AntiAV.NIE [Threat Variant Name]

Category trojan
Size 20992 B
Detection created Dec 16, 2012
Detection database version 7806
Aliases Trojan-Dropper.Win32.Agent.hgsy (Kaspersky)
  Win32:Fraudo (Avast)
Short description

Win32/AntiAV.NIE is a trojan that interferes with the operation of some security applications.

Installation

When executed, the trojan creates the following files:

  • %windir%\­msv3_0.dll (2560 B)
  • %windir%\­ntdll.dll:d1 (5720 B)

The trojan creates copies of the following files (source, destination):

  • %windir%\­system32\­ntdll.dll, %windir%\­ntdll.dll

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­Custom\­AvastSvc.exe]
    • "{fbf19186-a63a-44c1-b79d-2079e56cfe0e}.sdb" = %variable%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­Custom\­AvastUI.exe]
    • "{fbf19186-a63a-44c1-b79d-2079e56cfe0e}.sdb" = %variable%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­Custom\­avfwsvc.exe]
    • "{fbf19186-a63a-44c1-b79d-2079e56cfe0e}.sdb" = %variable%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­Custom\­avguard.exe]
    • "{fbf19186-a63a-44c1-b79d-2079e56cfe0e}.sdb" = %variable%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­Custom\­avmailc.exe]
    • "{fbf19186-a63a-44c1-b79d-2079e56cfe0e}.sdb" = %variable%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­Custom\­avp.exe]
    • "{fbf19186-a63a-44c1-b79d-2079e56cfe0e}.sdb" = %variable%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­Custom\­avwebgrd.exe]
    • "{fbf19186-a63a-44c1-b79d-2079e56cfe0e}.sdb" = %variable%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­Custom\­bdagent.exe]
    • "{fbf19186-a63a-44c1-b79d-2079e56cfe0e}.sdb" = %variable%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­Custom\­ccSvcHst.exe]
    • "{fbf19186-a63a-44c1-b79d-2079e56cfe0e}.sdb" = %variable%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­Custom\­dwengine.exe]
    • "{fbf19186-a63a-44c1-b79d-2079e56cfe0e}.sdb" = %variable%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­Custom\­dwnetfilter.exe]
    • "{fbf19186-a63a-44c1-b79d-2079e56cfe0e}.sdb" = %variable%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­Custom\­dwservice.exe]
    • "{fbf19186-a63a-44c1-b79d-2079e56cfe0e}.sdb" = %variable%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­Custom\­ekrn.exe]
    • "{fbf19186-a63a-44c1-b79d-2079e56cfe0e}.sdb" = %variable%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­Custom\­fshoster32.exe]
    • "{fbf19186-a63a-44c1-b79d-2079e56cfe0e}.sdb" = %variable%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­Custom\­fsm32.exe]
    • "{fbf19186-a63a-44c1-b79d-2079e56cfe0e}.sdb" = %variable%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­Custom\­fsma32.exe]
    • "{fbf19186-a63a-44c1-b79d-2079e56cfe0e}.sdb" = %variable%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­Custom\­fsorsp.exe]
    • "{fbf19186-a63a-44c1-b79d-2079e56cfe0e}.sdb" = %variable%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­Custom\­mcagent.exe]
    • "{fbf19186-a63a-44c1-b79d-2079e56cfe0e}.sdb" = %variable%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­Custom\­mcshield.exe]
    • "{fbf19186-a63a-44c1-b79d-2079e56cfe0e}.sdb" = %variable%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­Custom\­mcsvhost.exe]
    • "{fbf19186-a63a-44c1-b79d-2079e56cfe0e}.sdb" = %variable%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­Custom\­mfefire.exe]
    • "{fbf19186-a63a-44c1-b79d-2079e56cfe0e}.sdb" = %variable%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­Custom\­mfevtps.exe]
    • "{fbf19186-a63a-44c1-b79d-2079e56cfe0e}.sdb" = %variable%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­Custom\­op_mon.exe]
    • "{fbf19186-a63a-44c1-b79d-2079e56cfe0e}.sdb" = %variable%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­Custom\­PavFnSvr.exe]
    • "{fbf19186-a63a-44c1-b79d-2079e56cfe0e}.sdb" = %variable%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­Custom\­PavPrSrv.exe]
    • "{fbf19186-a63a-44c1-b79d-2079e56cfe0e}.sdb" = %variable%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­Custom\­pavsrvx86.exe]
    • "{fbf19186-a63a-44c1-b79d-2079e56cfe0e}.sdb" = %variable%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­Custom\­PsCtrlS.exe]
    • "{fbf19186-a63a-44c1-b79d-2079e56cfe0e}.sdb" = %variable%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­Custom\­PSHost.exe]
    • "{fbf19186-a63a-44c1-b79d-2079e56cfe0e}.sdb" = %variable%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­Custom\­PsImSvc.exe]
    • "{fbf19186-a63a-44c1-b79d-2079e56cfe0e}.sdb" = %variable%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­Custom\­psksvc.exe]
    • "{fbf19186-a63a-44c1-b79d-2079e56cfe0e}.sdb" = %variable%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­Custom\­spideragent.exe]
    • "{fbf19186-a63a-44c1-b79d-2079e56cfe0e}.sdb" = %variable%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­Custom\­vsserv.exe]
    • "{fbf19186-a63a-44c1-b79d-2079e56cfe0e}.sdb" = %variable%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­Custom\­zatray.exe]
    • "{fbf19186-a63a-44c1-b79d-2079e56cfe0e}.sdb" = %variable%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­InstalledSDB\­{fbf19186-a63a-44c1-b79d-2079e56cfe0e}]
    • "DatabasePath" = "%windir%\­ntdll.dll:d1"
    • "DatabaseType" = 65536
    • "DatabaseDescription" = "1"
    • "DatabaseInstallTimeStamp" = %variable%

A value with variable content is used instead of %variable% .


The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­op_mon.exe]
    • "Debugger" = "\­systemroot\­x7c"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mcagent.exe]
    • "Debugger" = "\­systemroot\­x7c"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mcshield.exe]
    • "Debugger" = "\­systemroot\­x7c"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mfefire.exe]
    • "Debugger" = "\­systemroot\­x7c"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mfevtps.exe]
    • "Debugger" = "\­systemroot\­x7c"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mcsvhost.exe]
    • "Debugger" = "\­systemroot\­x7c"

The modified Registry entries will prevent specific files from being executed.

Other information

The trojan may display the following dialog boxes:

Please enable Javascript to ensure correct displaying of this content and refresh this page.