Trojan-Dropper:W32/Hoaxer.B
Summary
This type of trojan contains one or more malicious files, which it will secretly install on the system.
Removal
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
-
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
-
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
-
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Technical Details
This malware drops and installs multiple files in the system. The cumulative effect of the malware is to produce a fake infection warning, which aims to frighten the user into purchasing a rogue antivirus program. InstallationThe malware installs a variety of files on the system. These files are all detected as Trojan-Downloader.Win32.Hoaxer.a:
- %programfiles%\PCHealthCenter\0.exe
- %programfiles%\PCHealthCenter\1.exe
- %programfiles%\PCHealthCenter\2.exe
- %programfiles%\PCHealthCenter\3.exe
- %programfiles%\PCHealthCenter\4.exe
- %programfiles%\PCHealthCenter\5.exe
- %programfiles%\PCHealthCenter\7.exe
These files are all image files used by the sc.html file:
- %programfiles%\PCHealthCenter\0.gif
- %programfiles%\PCHealthCenter\1.gif
- %programfiles%\PCHealthCenter\2.gif
- %programfiles%\PCHealthCenter\3.gif
This file is the fake Windows Security Center warning:
- %programfiles%\PCHealthCenter\sc.html
These icons are for links to pornography sites:
- %programfiles%\PCHealthCenter\1.ico
- %programfiles%\PCHealthCenter\2.ico
In addition to icons for links, the malware also adds actual links to the megafreeporn website:
- [random number][random number]%desktop%\QUALITY PORN.url
- [random number][random number]%desktop%\BEST ZOO PORN.url
These files are essentially duplicates of files which have been previously installed:
- c:\x - same file as %programfiles%\PCHealthCenter\7.ex
- %windir%\system32\YUR[random number].exe - same file as %programfiles%\PCHealthCenter\1.exe
- [random number]%windir%\system32\YUR[random number].exe - same file as %programfiles%\PCHealthCenter\2.exe
- [random number]%windir%\system32\YUR[random number].exe - same file as %programfiles%\PCHealthCenter\3.exe
- [random number][random number]%windir%\system32\YUR[random number].exe - same file as %programfiles%\PCHealthCenter\4.exe
- [random number][random number]%windir%\system32\1.ico - same as %programfiles%\PCHealthCenter\1.ico
- [random number][random number]%windir%\system32\2.ico - same as %programfiles%\PCHealthCenter\2.ico
Finally, the malware installs a file which is detected as Fraudtool:W32/SpywarePreventer.A:
- http://first-reason.com/data/x7/[...]/0000005378.exe
Registry
The malware also makes a number of registry changes in order to display the installed files. Sample registry values would be:
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \YUR1.exe = C:\Windows\system32\YUR1.exe
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \YUR1.exe = C:\Windows\system32\YUR1.exe
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \YUR2.exe = C:\Windows\system32\YUR2.exe
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \YUR2.exe = C:\Windows\system32\YUR2.exe
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \YUR3.exe = C:\Windows\system32\YUR3.exe
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \YUR3.exe = C:\Windows\system32\YUR3.exe
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \YUR4.exe = C:\Windows\system32\YUR4.exe
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \YUR4.exe = C:\Windows\system32\YUR4.exe
Execution
Upon execution, the malware will immediately display the sc.html file, which appears to be a Windows Security Center warning that the system is infected.
The user is asked if they would like to scan and remove the (supposed) threats detected, which is the recommended option. If the user clicks on the "Yes" option in the dialog box, the malware will open this link in the browser:
- http://scanner.vav-x-scanner.com/34/?advid=[...]5378&dsbndbinj&
The page opened contains the product that the malware is promoting.
File System Changes
Create these directories:
- %programfiles%\PCHealthCenter
Process Changes
Creates these processes:
- %programfiles%\PCHealthCenter\0.exe
- %programfiles%\PCHealthCenter\1.exe
- %programfiles%\PCHealthCenter\2.exe
- %programfiles%\PCHealthCenter\3.exe
- %programfiles%\PCHealthCenter\4.exe
- %programfiles%\PCHealthCenter\5.exe
- %programfiles%\PCHealthCenter\7.exe
Registry Modifications
Sets these values:
- HKCU\SOFTWARE\Microsoft\Windows VRSIN = 1221124757
- HKCU\SOFTWARE\Microsoft\Windows AIM = 0000000000005378
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \YUR.exe = C:\Windows\system32\YUR.exe
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \YUR.exe = C:\Windows\system32\YUR.exe
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \YUR.exe = C:\Windows\system32\YUR.exe
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \YUR.exe = C:\Windows\system32\YUR.exe
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \YUR.exe = C:\Windows\system32\YUR.exe
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \YUR.exe = C:\Windows\system32\YUR.exe
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \YUR.exe = C:\Windows\system32\YUR.exe
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \YUR.exe = C:\Windows\system32\YUR.exe