How to Prevent and Remove the Trojan.Win32.FraudPack.clsl

Bookmark and Share

1. What is the Trojan.Win32.FraudPack.clsl

Trojan.Win32.FraudPack.clsl is a malicious backdoor Trojan that runs in the background. Trojan.Win32.FraudPack.clsl disables the firewall and attempts to steal sensitive financial data like credit card numbers, online banking login details. Trojan.Win32.FraudPack.clsl creates a startup registry entry that loads as soon as Windows is booted. Trojan.Win32.FraudPack.clsl is a malicious trojan horse that may represent a severe security risk for the compromised system and should be removed immediately.

a. The following files were created in the system:

# Filename(s) File Size
1 %DesktopDir%\HDD Diagnostic.lnk 789 bytes
2 %Temp%\1283E8.tmp
%Temp%\2133E8.tmp 		225,344 bytes
3 %Temp%\1350587651.bin 28 bytes
4 %Temp%\990f05 336 bytes
5 %Temp%\990f05.exe 357,376 bytes
6 %Temp%\qjJBmVceOb.exe
%Temp%\tmp2.tmp 		446,464 bytes
7 %Temp%\tmp3.tmp
%Temp%\tmp6.tmp 		362,016 bytes
8 %Temp%\vDJiclykQY.dll 396,800 bytes
9 %Programs%\HDD Diagnostic\HDD Diagnostic.lnk 801 bytes
10 %Programs%\HDD Diagnostic\Uninstall HDD Diagnostic.lnk 873 bytes
11 %System%\drivers\sst5.sys 53,248 bytes
12 %System%\drivers\sst5.tmp
%System%\drivers\sst8.tmp 		0 bytes
13 %System%\drivers\sst8.sys 82,944 bytes
14 %System%\spool\prtprocs\w32x86\1284.tmp
%System%\spool\prtprocs\w32x86\2137.tmp 		118,784 bytes
  • Notes:
    • %DesktopDir% is a variable that refers to the file system directory used to physically store file objects on the desktop. A typical path is C:\Documents and Settings\[UserName]\Desktop.
    • %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
    • %Programs% is a variable that refers to the file system directory that contains the user's program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.
    • %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
  • The following directory was created:
    • %Programs%\HDD Diagnostic

b. Memory Modifications

 

  • There were new processes created in the system:

Process Name Process Filename
qjJBmVceOb.exe %Temp%\qjjbmvceob.exe
990f05.exe %Temp%\990f05.exe
[filename of the sample #1] [file and pathname of the sample #1]

  • There were new memory pages created in the address space of the system process(es):

Process Name Process Filename
spoolsv.exe %System%\spoolsv.exe
spoolsv.exe %System%\spoolsv.exe

  • The following modules were loaded into the address space of other process(es):

Module Name Module Filename Address Space Details
1284.tmp %System%\spool\PRTPROCS\W32X86\1284.tmp Process name: spoolsv.exe
Process filename: %System%\spoolsv.exe
Address space: 0xEB0000 - 0xECD000
2137.tmp %System%\spool\PRTPROCS\W32X86\2137.tmp Process name: spoolsv.exe
Process filename: %System%\spoolsv.exe
Address space: 0xF50000 - 0xF6D000

c. Registry Modifications

  • The following Registry Keys were created:

    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SST5
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SST5\0000
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SST5\0000\Control
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sst5
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sst5\Enum
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sst8
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sst8\Enum
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SST5
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SST5\0000
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SST5\0000\Control
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sst5
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sst5\Enum
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sst8
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sst8\Enum

  • The newly created Registry Values are:

    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SST5\0000\Control]
      • *NewlyCreated* = 0x00000000
      • ActiveService = "sst5"
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SST5\0000]
      • Service = "sst5"
      • Legacy = 0x00000001
      • ConfigFlags = 0x00000000
      • Class = "LegacyDriver"
      • ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
      • DeviceDesc = "sst5"
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SST5]
      • NextInstance = 0x00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sst5\Enum]
      • 0 = "Root\LEGACY_SST5\0000"
      • Count = 0x00000001
      • NextInstance = 0x00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sst5]
      • imagepath = "\??\globalroot%System%\drivers\sst5.sys"
      • type = 0x00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sst8\Enum]
      • Count = 0x00000000
      • NextInstance = 0x00000000
      • INITSTARTFAILED = 0x00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sst8]
      • imagepath = "\??\globalroot%System%\drivers\sst8.sys"
      • type = 0x00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SST5\0000\Control]
      • *NewlyCreated* = 0x00000000
      • ActiveService = "sst5"
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SST5\0000]
      • Service = "sst5"
      • Legacy = 0x00000001
      • ConfigFlags = 0x00000000
      • Class = "LegacyDriver"
      • ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
      • DeviceDesc = "sst5"
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SST5]
      • NextInstance = 0x00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sst5\Enum]
      • 0 = "Root\LEGACY_SST5\0000"
      • Count = 0x00000001
      • NextInstance = 0x00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sst5]
      • imagepath = "\??\globalroot%System%\drivers\sst5.sys"
      • type = 0x00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sst8\Enum]
      • Count = 0x00000000
      • NextInstance = 0x00000000
      • INITSTARTFAILED = 0x00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sst8]
      • imagepath = "\??\globalroot%System%\drivers\sst8.sys"
      • type = 0x00000001
    • [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
      • ProxyEnable = 0x00000000
    • [HKEY_CURRENT_USER\Software]
      • 12B79064-EB17-4f82-9DFE-B975BD26D1DC = ""
    • [HKEY_CURRENT_USER\Software\Microsoft]
      • BootData = 43 00 3A 00 5C 00 44 00 4F 00 43 00 55 00 4D 00 45 00 7E 00 31 00 5C 00 55 00 73 00 65 00 72 00 4E 00 61 00 6D 00 65 00 5C 00 4C 00 4F 00 43 00 41 00 4C 00 53 00 7E 00 31 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 31 00 30 00 36 00 36 00 38 00 37 00 2E 0
    • [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
      • TabProcGrowth = 0x00000001
      • Use FormSuggest = "Yes"
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
      • WarnOnZoneCrossing = 0x00000000
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
      • qjJBmVceOb.exe = "%Temp%\qjJBmVceOb.exe"
      • 990f05 = "%Temp%\990f05.exe"

      so that qjJBmVceOb.exe runs every time Windows starts
      so that 990f05 runs every time Windows starts
       

  • The following Registry Values were modified:

    • [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
      • Cookies =
      • Cache =
      • History =
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
      • 1601 =

d. Other details

  • There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host Port Number
62.122.73.241 80
62.122.73.242 80
62.122.73.243 80
91.200.242.17 80
91.200.242.19 80
91.200.242.87 80
95.169.191.223 80

  • The data identified by the following URLs was then requested from the remote web server:

    • http://searchfindestimate.org/readdatagateway.php?type=stats&affid=433&subid=01&installruns
    • http://searchfindestimate.org/readdatagateway.php?type=stats&affid=433&subid=01&adwareok
    • http://searchfindcheck.org/cat/main.php?affid=433&subid=direct
    • http://clickconveniencestore.org/?gd=KCo7MD8uPS4iPA==&affid=W1xc&subid=CwYdCgwb&prov=&mode=cr&v=6nkr
    • http://clickconveniencestore.org/?gd=KCo7MD8uPS4iPA==&affid=W1xc&subid=CwYdCgwb&dprov=&mode=cr&v=6&newref=2
    • http://searchjewel.org/any5/433-direct.exe
    • http://findinstrument.org/?gd=KCo7MD8uPS4iPA==&affid=W1xc&subid=CwYdCgwb&dprov=&mode=cr&v=6&newref=2
    • http://findinstrument.org/?gd=KCo7MD8uPS4iPA==&affid=W1xc&subid=CwYdCgwb&prov=&mode=cr&v=6nkr
    • http://awfulice.com/readdatagateway.php?type=stats&affid=433&subid=01&adwareok
    • http://awfulice.com/any5/433-direct.exe
    • http://findforget.org/cat/files/mods/serf
    • http://findforget.org/cat/files/mods/bbr

 

2. How-to's

a. Please update the policy basic knowledge of Sax2  in time, Once  sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

b. How to Remove the Trojan.Win32.FraudPack.clsl  Manually?

Step 1 : Use Windows Task Manager to Remove Trojan.Win32.FraudPack.cls Processes

qjJBmVceOb.exe
990f05.exe

Step 2 : Remove the registry entries hidden by Trojan.Win32.FraudPack.clsl, once you find some programs on your PC run abnormally, you should immediately check the following entries in the Registry, and directly delete the spyware-related registry entries.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SST5\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "sst5"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SST5\0000]
Service = "sst5"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "sst5"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SST5]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sst5\Enum]
0 = "Root\LEGACY_SST5\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sst5]
imagepath = "\??\globalroot%System%\drivers\sst5.sys"
type = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sst8\Enum]
Count = 0x00000000
NextInstance = 0x00000000
INITSTARTFAILED = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sst8]
imagepath = "\??\globalroot%System%\drivers\sst8.sys"
type = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SST5\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "sst5"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SST5\0000]
Service = "sst5"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "sst5"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SST5]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sst5\Enum]
0 = "Root\LEGACY_SST5\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sst5]
imagepath = "\??\globalroot%System%\drivers\sst5.sys"
type = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sst8\Enum]
Count = 0x00000000
NextInstance = 0x00000000
INITSTARTFAILED = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sst8]
imagepath = "\??\globalroot%System%\drivers\sst8.sys"
type = 0x00000001
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
ProxyEnable = 0x00000000
[HKEY_CURRENT_USER\Software]
12B79064-EB17-4f82-9DFE-B975BD26D1DC = ""
[HKEY_CURRENT_USER\Software\Microsoft]
BootData = 43 00 3A 00 5C 00 44 00 4F 00 43 00 55 00 4D 00 45 00 7E 00 31 00 5C 00 55 00 73 00 65 00 72 00 4E 00 61 00 6D 00 65 00 5C 00 4C 00 4F 00 43 00 41 00 4C 00 53 00 7E 00 31 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 31 00 30 00 36 00 36 00 38 00 37 00 2E 0
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
TabProcGrowth = 0x00000001
Use FormSuggest = "Yes"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
WarnOnZoneCrossing = 0x00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
qjJBmVceOb.exe = "%Temp%\qjJBmVceOb.exe"
990f05 = "%Temp%\990f05.exe"
 

Step 3 : Clean up IE Temporary file folder where the original carrier of PC threats is possibly stored. Meanwhile, the malicious files generated by Trojan.Win32.FraudPack.clsl.bho are possibly located in the following Location:
%DesktopDir%\HDD Diagnostic.lnk
%Temp%\1283E8.tmp
%Temp%\2133E8.tmp
%Temp%\1350587651.bin
%Temp%\990f05
%Temp%\990f05.exe
%Temp%\qjJBmVceOb.exe
%Temp%\tmp2.tmp
%Temp%\tmp3.tmp
%Temp%\tmp6.tmp
%Temp%\vDJiclykQY.dll
%Programs%\HDD Diagnostic\HDD Diagnostic.lnk
%Programs%\HDD Diagnostic\Uninstall HDD Diagnostic.lnk
%System%\drivers\sst5.sys
%System%\drivers\sst5.tmp
%System%\drivers\sst8.tmp
%System%\drivers\sst8.sys
%System%\spool\prtprocs\w32x86\1284.tmp
%System%\spool\prtprocs\w32x86\2137.tmp

 

c. How to Remove these trojans Instantly?

Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

 

3. Appendix

For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm