How to Prevent and Remove the Trojan-Downloader.Win32.FraudLoad.hcy
 

Bookmark and Share

 

1. What is the Trojan-Downloader.Win32.FraudLoad.hcy
 

Trojan-Downloader.Win32.FraudLoad.hcy, sometimes referred to as the Fraudload Trojan, is a Trojan downloader. This means that once it infects your computer, it has the ability to download additional Trojans onto your computer. Moreover, Trojan-Downloader.Win32.FraudLoad.hcy may slow your computer, steal personal information, create new desktop shortcuts, change your homepage and flood your computer with popup advertisements. Fortunately, the Trojan-Downloader.Win32.FraudLoad.hcy Trojan can be removed manually.

 

2.Technical Details:

 

a. The following files were created in the system:

# Filename(s) File Size
1 %AppData%\2927735.exe 1,137,152 bytes
2 %Programs%\Security Tool.lnk 834 bytes
3 [file and pathname of the sample #1] 14,848 bytes
4 %Windir%\Temp\_ex-08.exe 254,976 bytes
  • Notes:
    • %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
    • %Programs% is a variable that refers to the file system directory that contains the user's program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

b. Memory Modifications

    • There were new processes created in the system:
    Process Name Process Filename Main Module Size
    _ex-08.exe %Windir%\temp\_ex-08.exe 630,784 bytes
    2927735.exe %AppData%\2927735.exe 4,399,104 bytes
    2927735.exe %UserProfile%\LOCALS~1\APPLIC~1\2927735.exe 4,399,104 bytes
    • Notes:
      • %UserProfile% is a variable that specifies the current user's profile folder. By default, this is C:\Documents and Settings\[UserName] (Windows NT/2000/XP).

    c. Registry Modifications

    • The following Registry Key was created:
      • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    • The newly created Registry Values are:
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        • sniffer = "%Windir%\Temp\_ex-08.exe"

        so that _ex-08.exe runs every time Windows starts
         
      • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
        • 2927735 = ""%AppData%\2927735.exe" 0 42 "

        so that 2927735.exe runs every time Windows starts

    d. Other details

    • There were registered attempts to establish connection with the remote hosts. The connection details are:
    Remote Host Port Number
    109.196.143.135 80
    77.78.201.25 80
    • The data identified by the following URLs was then requested from the remote web server:
      • http://109.196.143.135/outlook.exe
      • http://77.78.201.25/cb_soft.php?q=695833ef8b60a4c39750b399d0609d25

     

    3. How-to's

    a. How to prevent the  Trojan-Downloader.Win32.FraudLoad.hcy ?

    Please update the policy basic knowledge of Sax2  in time, Once  Ax3soft sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

    b. How to Remove the Trojan-Downloader.Win32.FraudLoad.hcy Manually?

    Step 1 : Stop the following Trojan-Downloader.Win32.FraudLoad.hcy processes
    %Windir%\temp\_ex-08.exe
    %AppData%\2927735.exe
    %UserProfile%\LOCALS~1\APPLIC~1\2927735.exe
     

    Step 2 : Remove the following Trojan-Downloader.Win32.FraudLoad.hcy   registry keys:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    The newly created Registry Values are:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    sniffer = "%Windir%\Temp\_ex-08.exe"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    2927735 = ""%AppData%\2927735.exe" 0 42 "
     

    Step3: Locate and delete the following Trojan-Downloader.Win32.FraudLoad.hcy files

    %AppData%\2927735.exe
    %Programs%\Security Tool.lnk
    [file and pathname of the sample #1]
    %Windir%\Temp\_ex-08.exe

    c. How to Remove these trojans Instantly?

    Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the  Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

     

    4. Appendix

    For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

    		•