Win32/TrojanDownloader.Prodatect [Threat Name] go to Threat

Win32/TrojanDownloader.Prodatect.BK [Threat Variant Name]

Category trojan
Size 574464 B
Detection created Mar 12, 2011
Detection database version 5948
Aliases Trojan.Win32.FakeAv.bhcw (Kaspersky)
  Trojan:Win32/FakeSysdef (Microsoft)
  Downloader-AWM.gen.r (McAfee)
Short description

Win32/TrojanDownloader.Prodatect.BK is a trojan that installs Win32/Adware.HDDRescue.AA malware. The trojan tries to download and execute several files from the Internet.

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %commonappdata%\­SkpnENxqYUnKKo.exe (574464 B)
  • %temp%\­WindowsUpdate.exe (574464 B)

This copy of the trojan is then executed.


The following file is dropped in the same folder:

  • %variable%.exe (525312 B, Win32/Adware.HDDRescue.AA)

A string with variable content is used instead of %variable% .


The trojan creates the following files:

  • %desktop%\­System Diagnostic.lnk
  • %programs%\­System Diagnostic\­System Diagnostic.lnk
  • %programs%\­System Diagnostic\­Uninstall System Diagnostic.lnk

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableTaskMgr" = 1
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableTaskMgr" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Download]
    • "CheckExeSignatures" = "no"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Attachments]
    • "SaveZoneInformation" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Associations]
    • "LowRiskFileTypes" = "/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:"
  • [HKCU\­Software]
    • "BD" = "%malwarefilepath%"

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "SkpnENxqYUnKKo" = "%appdata%\­SkpnENxqYUnKKo.exe"
  • [HKEY_CURRENT_USER\­Software]
    • "75fa38b7-8b94-4995-ad32-52e938867954" = ""
    • "dc16eb3c-e0f6-446f-8d27-912251f8e6da" = ""
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 0
    • "ShowSuperHidden" = 0

After the installation is complete, the trojan deletes the original executable file.

Other information

Win32/TrojanDownloader.Prodatect.BK is a trojan that installs Win32/Adware.HDDRescue.AA malware.


The adware displays fake warnings about threats detected on the compromised computer that need to be removed. The problems/threats are fake.


Some examples follow.

The goal of the program is to persuade the user to purchase the product.


The trojan contains a list of (2) URLs.


It tries to download a file from the addresses.


The file is stored in the following location:

  • %temp%\­InternetExplorerUpdate.exe

The file is then executed. The HTTP protocol is used.


It can execute the following operations:

  • hide taskbar
  • shut down/restart the computer

The trojan may execute the following commands:

  • attrib.exe +h "%userprofile%\­*.* " /s /d
  • attrib.exe +h "%drive%\­*.*" /s /d
  • attrib.exe -h "%userprofile%\­*.* " /s /d
  • attrib.exe -h "%drive%\­*.*" /s /d

The following programs are terminated:

  • msascui.exe
  • msseces.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.