Win32/TrojanDownloader.FakeAlert [Threat Name] go to Threat

Win32/TrojanDownloader.FakeAlert.AQI [Threat Variant Name]

Category trojan
Size 265512 B
Detection created Dec 10, 2009
Detection database version 4677
Aliases Downloader-CEW.au.trojan (McAfee)
  Trojan.FakeAV!gen63 (Symantec)
Short description

Win32/TrojanDownloader.FakeAlert.AQI is a trojan which tries to download other malware from the Internet.

Installation

The trojan does not create any copies of itself.


The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable%" = "%malwarefilepath%"

This causes the trojan to be executed on every system start.


A string with variable content is used instead of %variable% .


The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "Disable Script Debugger" = "yes"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones]
    • "1601" = 0

The trojan schedules a task that causes the following file to be executed daily:

  • %malwarefilepath%

The trojan creates the following file:

  • %windir%\­Tasks\­{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job
Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (5) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • block access to specific websites
  • open a specific URL address

The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.


The trojan checks for Internet connectivity by trying to connect to the following servers:

  • hudong.com
  • tom.com
  • washingtonpost.com

The trojan keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­SOFTWARE\­NtWqIVLZEWZU\­%variable%]

A string with variable content is used instead of %variable% .


It can send various information about the infected computer.

Please enable Javascript to ensure correct displaying of this content and refresh this page.