Trojan-Downloader.Win32.FraudLoad.wxpf
From Total Malware Info
Trojan-Downloader.Win32.FraudLoad.wxpf — is a trojan malicious program, which downloads files from the Internet without user’s permission. It is Windows application (PE-EXE file). It is 58,880 bytes. It is written in C++ language.
Installation
Right after the start, the trojan checks following system registry keys:
[HKCU\Software\AntivirusXP] "Key" [HKCU\Software\RealAV] "Key" [HKLM\Software\AntivirusXP] "Key" [HKCU\Software\AVR] "KEY" [HKLM\Software\AVR] "KEY"
Trojan terminates itself if these keys are present. Otherwise, the trojan performs following actions:
- it deletes the file:
%System%\winupdate.exe
%System%\winupdate.exe
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "winupdate.exe" = "%System%\winupdate.exe"
After that, the trojan terminates its operation.
Payload
After the start, the trojan performs following actions::
- it deletes the file:
%System%\critical_warning.html
%System%\critical_warning.html
The file is 831 bytes. It is HTML-page which looks like shown at figure:
- it creates system registry keys:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableTaskMgr" = "1" [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "NoSetActiveDesktop" = "1" "NoActiveDesktopChanges" = "1" [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop] "NoChangingWallpaper" = "1" [HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "NoSetActiveDesktop" = "1" "NoActiveDesktopChanges" = "1" [HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop] "NoChangingWallpaper" = "1"
This results in disabling of Windows Task Manager and changes in Active Desktop settings.
- The trojan sets previously extracted HTML page "%System%\critical_warning.html" as a background picture at the Desktop. To do this, the trojan changes following system registry keys:
[HKCU\Software\Microsoft\Internet Explorer\Desktop\General] "TileWallpaper" = "0" "WallpaperStyle" = "2" "Wallpaper" = "%System%\critical_warning.html" "WallpaperFileTime" = "00 98 50 FC 35 A4 C6 01" "WallpaperLocalFileTime" = "00 D0 9D 21 4F A4 C6 01" [HKCU\Control Panel\Desktop] "TileWallpaper" = "0" "WallpaperStyle" = "2"
http://downl******6.com/dfghfghgfj.dll http://downl******6.com/cgi-bin/download.pl?code=
These files stored in the system as
%System%\winhelper.dll (At the moment of writing this file was detected as Trojan-Ransom.Win32.Agent.jc. Its size is 22,528 bytes.) %System%\AVR09.exe (At he moment of writing this file was detected as Trojan.Win32.FraudPack.acik. Its size is 1,172,480 bytes.)
- The trojan launches regsvr32.exe utility with the following parameters:
regsvr32.exe /s %System%\winhelper.dll
This results in execution of the downloaded file %System%\winhelper.dll.
- The trojan creates a system registry key to identify its presence in the system:
[HKCU\Software] "8636065b-fef0-4255-b14f-54639f7900a4" = "8636065b-fef0-4255-b14f-54639f7900a4"
Once clicked, default browser will load the website:
http://advancedvi*********r-2009.com/buy/?code=
- The trojan terminates following processes in infinite loop:
AcroRd32.exe rstrui.exe CloneCD.exe cmd.exe digitaleditions.exe freecell.exe FullTiltPoker.exe GOM.exe hrtzzm.exe Icq.exe Illustrator.exe miranda32.exe moviemk.exe mplay32.exe mplayer2.exe mshearts.exe msimn.exe msmsgs.exe mspaint.exe MSWorks.exe Nero.exe NeroExpressPortable.exe nfs.exe OIS.exe OUTLOOK.exe Photoshop.exe pinball.exe PokerStars.exe POWERPNT.exe realplay.exe RecordingManager.exe RegCloneCD.exe regedit.exe RwcRun.exe RWipeRun.exe shvlzm.exe skypePM.exe RealPlayer.exe POWERPOI.exe word.exe EXCEL.exe MsnMsgr.Exe chrome.exe GoogleEarth.exe wupdmgr.exe Skype.exe sndvol32.exe sol.exe setup_wm.exe spider.exe taskmgr.exe thebat.exe msconfig.exe uTorrent.exe vmware.exe winmine.exe WinRAR.exe WINWORD.exe control.exe notepad.exe calc.exe wmplayer.exe
The following message is shown if user is trying to run mentioned applications:
- The trojan launches the downloaded file each 12 minutes in a separate thread:
%System%\AVR09.exe
http://testa*****n.com/cgi-bin/get.pl?l= (At the moment of wiritting, this link was broken.)
The downloaded files are stored in the system under random filenames:
%System%\<rnd>.exe
where <rnd> – random decimal number. The files are launched if downloaded successfully.
Removal Instructions
If your computer wasn’t protected with antivirus software, then you need to do following actions to remove the trojan.
- Reboot your computer in “safe mode” (press and hold F8 button at the very beginning of reboot, then choose “Safe Mode” option at Windows boot menu).
- Remove the system registry keys:
- Restore original registry keys’ values as shown:
- Remove following files:
- Remove the trojan original file. Its location may vary depending on way how it has been downloaded to your computer.
- Perform full scan with antivirus program.
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "winupdate.exe" = "%System%\winupdate.exe" [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableTaskMgr" = "1" [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "NoSetActiveDesktop" = "1" "NoActiveDesktopChanges" = "1" [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop] "NoChangingWallpaper" = "1" [HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "NoSetActiveDesktop" = "1" "NoActiveDesktopChanges" = "1" [HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop] "NoChangingWallpaper" = "1" [HKCU\Software] "8636065b-fef0-4255-b14f-54639f7900a4" = "8636065b-fef0-4255-b14f-54639f7900a4"
[HKCU\Software\Microsoft\Internet Explorer\Desktop\General] "TileWallpaper" = "0" "WallpaperStyle" = "2" "Wallpaper" = "%System%\critical_warning.html" "WallpaperFileTime" = "00 98 50 FC 35 A4 C6 01" "WallpaperLocalFileTime" = "00 D0 9D 21 4F A4 C6 01" [HKCU\Control Panel\Desktop] "TileWallpaper" = "0" "WallpaperStyle" = "2"
%System%\winupdate.exe %System%\critical_warning.html %System%\winhelper.dll %System%\AVR09.exe %System%\<rnd>.exe
