Trojan.FakeAV
 

Bookmark and Share

1. What is the Trojan.FakeAV
 

Trojan.FakeAV is a malicious trojan horse that may represent a high security risk for the compromised system or its network environment. Trojan.FakeAV, also known as Trojan.Win32.Small.ccz, creates a startup registry entry and may display annoying fake alerts of malware payloads in order to persuade users to buy rogue antispyware products. Trojan.FakeAV contains characteristics of an identified security risk and should be removed once detected.

 

a. File System Modifications

         %CommonFavorites%\_favdata.dat

         %Temp%\eapp32hst.dll

         %Temp%\PRAGMAb224.tmp

         %Temp%\PRAGMAb253.tmp

         %Temp%\PRAGMAc84c.tmp

         %Temp%\TMP43307.tmp

         %Temp%\topwesitjh

         %Temp%\wscsvc32.exe

         %Windir%\PRAGMAsesmccxtir\PRAGMAc.dll

         %Windir%\PRAGMAsesmccxtir\PRAGMAcfg.ini

         %Windir%\PRAGMAsesmccxtir\PRAGMAd.sys

         %Windir%\PRAGMAsesmccxtir\PRAGMAsrcr.dat

 

  • Notes:
    • %CommonFavorites% is a variable that refers to the file system directory that serves as a common repository for all users' favorite items. A typical path is C:\Documents and Settings\All Users\Favorites (Windows NT/2000/XP).
    • %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
  • The following directory was created:
    • %Windir%\PRAGMAsesmccxtir

.

b. Memory Modifications

       There were new processes created in the system:

Process Name Process Filename Main Module Size
wscsvc32.exe %Temp%\wscsvc32.exe 314,368 bytes

c. Registry Modifications

  •  The following Registry Key was created:
     
    • HKEY_LOCAL_MACHINE\SOFTWARE\Program Groups
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMASESMCCXTIR
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMASESMCCXTIR\0000
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMASESMCCXTIR\0000\Control
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMASESMCCXTIR
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMASESMCCXTIR\0000
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMASESMCCXTIR\0000\Control
    • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol
    • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\feature_enable_ie_compression
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
    • HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA
    • HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA\versions
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PRAGMAsesmccxtir
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PRAGMAsesmccxtir\modules
  • The newly created Registry Values are:
     
    • [HKEY_LOCAL_MACHINE\SOFTWARE]
      • f7c5da73-b4a5-4947-8f40-08f2871eb36b = ""
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
      • DisableTaskMgr = 0x00000001
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Program Groups]
      • ConvertedToLinks = 0x00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMASESMCCXTIR\0000\Control]
      • *NewlyCreated* = 0x00000000
      • ActiveService = "PRAGMAsesmccxtir"
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMASESMCCXTIR\0000]
      • Service = "PRAGMAsesmccxtir"
      • Legacy = 0x00000001
      • ConfigFlags = 0x00000000
      • Class = "LegacyDriver"
      • ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
      • DeviceDesc = "PRAGMAsesmccxtir"
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMASESMCCXTIR]
      • NextInstance = 0x00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMASESMCCXTIR\0000\Control]
      • *NewlyCreated* = 0x00000000
      • ActiveService = "PRAGMAsesmccxtir"
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMASESMCCXTIR\0000]
      • Service = "PRAGMAsesmccxtir"
      • Legacy = 0x00000001
      • ConfigFlags = 0x00000000
      • Class = "LegacyDriver"
      • ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
      • DeviceDesc = "PRAGMAsesmccxtir"
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMASESMCCXTIR]
      • NextInstance = 0x00000001
    • [HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\feature_enable_ie_compression]
      • svchost.exe = 0x00000001
    • [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
      • ProxyEnable = 0x00000000
    • [HKEY_CURRENT_USER\Printers\Connections]
      • affid = "396"
      • subid = "landing"
    • [HKEY_CURRENT_USER\Software]
      • 24d1ca9a-a864-4f7b-86fe-495eb56529d8 = ""
      • 7bde84a2-f58f-46ec-9eac-f1f90fead080 = ""
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
      • DisableTaskMgr = 0x00000001

      to prevent users from starting Task Manager (Taskmgr.exe)
       
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
      • dfrgsnapnt.exe = "%Temp%\dfrgsnapnt.exe"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA]
      • affid = "5"
      • type = "no"
      • build = "no"
      • subid = "direct"
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PRAGMAsesmccxtir\modules]
      • PRAGMAd = "\systemroot\PRAGMAsesmccxtir\PRAGMAd.sys"
      • PRAGMAc = "\systemroot\PRAGMAsesmccxtir\PRAGMAc.dll"
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PRAGMAsesmccxtir]
      • start = 0x00000001
      • type = 0x00000001
      • imagepath = "\systemroot\PRAGMAsesmccxtir\PRAGMAd.sys"
  •  The following Registry Value was deleted:
     
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]
      • (Default) =
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]
      • (Default) =
    • [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
      • Cache =

d. Other details

  • There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host Port Number
91.212.127.86 80
91.212.127.96 80

  • The data identified by the following URL was then requested from the remote web server:

    • http://mediafulluns.com/any3/5-direct.ex
    • http://www.searchaverage.org/a/ad
    • http://searchaverage.org/readdatagateway.php?type=stats&affid=396&subid=landing&version=4.0&adwareok

 

2. How-to's

a. Please update the policy basic knowledge of Sax2  in time, Once  sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

b. How to Remove the Trojan.FakeAV  Manually?

Step 1 : The associated files of Trojan.FakeAV  to be deleted are listed below:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*]


Step 2 : The registry entries of Trojan.FakeAV that need to be removed are listed as follows:
 

File Name File Size MD5
CLADD 2560 e229a2fa3acd3f307ede63b89db833a4
WI3e94.exe 1943552 02fed38ea8975716f5f8f2595f905010
ddexpshare.exe 790528 8b4840953e5511d0a08ee67ff0034e2c
services.exe 47616 da9976cd71469bbcf0f87ec40e2ce798

 

c. How to Remove these trojans Instantly?

Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

 

3. Appendix

For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm