Win32/FakeTrusteer [Threat Name] go to Threat

Win32/FakeTrusteer.A [Threat Variant Name]

Category trojan
Size 131072 B
Detection created Feb 10, 2012
Detection database version 6875
Aliases Trojan-Dropper.Win32.Injector.dily (Kaspersky)
  Trojan:Win32/Matsnu.gen!A (Microsoft)
  Backdoor.Matsnu (Symantec)
Short description

Win32/FakeTrusteer.A installs a backdoor that can be controlled remotely.

Installation

When executed the trojan copies itself in the following locations:

  • %system%\­%variable1%.exe
  • %temp%\­%variable2%.exe

The following files are dropped:

  • C:\­Windows\­RPService.exe (18944 B)
  • C:\­Program Files\­Trusteer\­Rapport\­bin\­RapportService.exe (18944 B)

The files are then executed.


The trojan executes the following files:

  • svchost.exe

The trojan creates and runs a new thread with its own program code within the following processes:

  • svchost.exe
  • iexplore.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable3%" = "%system%\­%variable1%.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "%originalvalue%, %system%\­%variable1%.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "Load" = "%temp%\­%variable2%.exe"

A string with variable content is used instead of %random1-3% .


The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­.eze]
    • "(Default)" = "MyEze.1"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­MyEze.1\­shell\­open\­command]
    • "(Default)" = "%system%\­RPService.exe %0 %1 %2"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RapportSetup-Full.exe]
    • "Debugger" = "RPXService.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RapportSetup.exe]
    • "Debugger" = "RPXService.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RapportMgmtService.exe]
    • "Debugger"  = "RPService.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RapportService.exe]
    • "Debugger" = "RPService.exe"

The trojan moves the following files (source, destination):

  • %appdata%\­Trusteer\­*.*, %appdata%\­Trustee\­*.*
  • %programfiles%\­Trusteer\­*.*, %programfiles%\­Trustee\­*.*
  • %programfiles%\­Trustee\­Rapport\­bin\­RapportService.exe, %programfiles%\­Trustee\­Rapport\­bin\­RapportService.eze
  • %system%\­drivers\­RapportKELL.sys, %system%\­drivers\­RaportKELL.sys

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects the following information:

  • user name
  • computer name
  • volume serial number

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (5) URLs. The HTTP protocol is used.


It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • remove itself from the infected computer
  • delete files
  • delete folders

The trojan may delete the following files:

  • ntdetect.com
  • ntldr

The trojan executes the following files:

  • cmd.exe
  • reg.exe
  • taskkill.exe

The trojan may perform operating system restart.


The trojan hooks the following Windows APIs:

  • EndPaint (user32.dll)

The trojan affects the behavior of the following applications:

  • iexplore.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.