夲號ヱ被ジ盜 - 2008-12-26 12:50:00
Downloader.Win32.Agent.bs
http://www.ca.com/cn/securityadvisor/virusinfo/virus.aspx?id=74719
病毒详细信息
Win32/FakeAV.JW 发布日期:
2008/11/5
上次更新时间:
2008/11/5
威胁评估 总体风险: 低
猖獗程度: 低
破坏程度: 中
普遍程度: 无
特征 类型 : Trojan
类别 : Win32
其他名称: Downloader.Win32.Agent.bs (Kaspersky), TrojanDownloader:Win32/FakeRean (MS OneCare)
即时保护信息
描述
感染方式
有效负载
其他信息
描述 Win32/FakeAV.JW is a trojan that disguises itself as a legitimate anti-virus program and displays various popup messages warning of fake infections. It may also download additional malware to the compromised system. 返回顶部
感染方式 When executed, Win32/FakeAV.JW informs the user that it is downloading "XP Antivirus 2009":
It downloads the following files from the URL www.xpantispyware-2009.com:
Binaries1.cab
Binaries2.cab
Binaries3.cab
It extracts and executes the downloaded files, then creates the following directory containing the malware files:
%Program Files%\XP_AntiSpyware
Note: %Program Files% is a variable location. The malware determines the location of the current Program Files folder by querying the operating system. A typical location for this folder would be C:\Program Files.
It also creates the following files as part of its installation:
%Windows%\wiadebug.log
%Windows%\wiaservc.log
%Documents and Settings%\<username >\Start Menu\Programs\XP_AntiSpyware\Uninstall.lnk
%Documents and Settings%\<username>\Start Menu\Programs\XP_AntiSpyware\XP_AntiSpyware.lnk
Note: %Windows% and %Documents and Settings% are variable locations. The malware determines the locations of these folders by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95, 98 and ME is C:\Windows; and for XP and Vista is C:\Windows. A typical location for Documents and Settings is C:\Documents and Settings.
The trojan adds the registry entry below to automatically execute itself on system start:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XP Antispyware 2009 = "%Program Files%\XP_AntiSpyware\XP_AntiSpyware.exe" /hide"
It also adds the following registry entries:
HKCU\Control Panel\don't load\scui.cpl = "No"
HKCU\Control Panel\don't load\wscui.cpl = "No"
HKLM\SOFTWARE\XP_Antispyware
HKLM\SOFTWARE\XP_Antispyware\info = "<date of infection >"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XP_AntiSpyware
Additionally, the trojan displays the user interface for "XP Antivirus 2009", where it pretends to scan the system while reporting numerous 'infections':
返回顶部
有效负载 Disables Security NotificationsWin32/FakeAV.JW disables the Windows Firewall, updates, and antivirus reports by modifying the registry entries below:
HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify = dword:00000001
Displays False WarningsWin32/FakeAV.JW displays a fake Windows Security Center:
as well as warnings about fake infections:
It also displays popup messages in the taskbar that inform the user of false infections:
Downloads and Executes Arbitrary FilesWin32/FakeAV.JW attempts to access the following websites to report its activities and to download additional rogue software:
domake-progress.com
do-managedscan.com
domanaged-scan.com
do-fixed-progress
do-monster-scan.com
xp-as-2009.com
xpas2009.com
xpantispyware-2009.com
xp-antispyware-2009.com
xp-antispyware2009.com
xpas-2009.com
xp-as2009.com
返回顶部
其他信息 Below is a screenshot of the website that attempts to entice users to download the trojan. Product certifications displayed in the website are fake and designed to scam unsuspecting users:
The following are additional images of Win32/FakeAV.JW running on an affected system:
Analysis by Zarestel Ferrer
http://www.ca.com/cn/securityadvisor/virusinfo/virus.aspx?id=74719
病毒详细信息
Win32/FakeAV.JW 发布日期:
2008/11/5
上次更新时间:
2008/11/5
威胁评估 总体风险: 低
猖獗程度: 低
破坏程度: 中
普遍程度: 无
特征 类型 : Trojan
类别 : Win32
其他名称: Downloader.Win32.Agent.bs (Kaspersky), TrojanDownloader:Win32/FakeRean (MS OneCare)
即时保护信息
| 特征码 | 产品 | 删除指导 |
| 31.6.6140 | CA Antivirus 2007 | 查看 |
| 31.6.6140 | eTrust Antivirus v7/8* | 查看 |
| 7.x/6140 | eTrust EZ Antivirus 7.x | 查看 |
| 31.6.6140 | Vet 7 | 查看 |
| 工具 |  下载特征码文件  扫描病毒 |  提交病毒样本 |
描述
感染方式
有效负载
其他信息
描述 Win32/FakeAV.JW is a trojan that disguises itself as a legitimate anti-virus program and displays various popup messages warning of fake infections. It may also download additional malware to the compromised system. 返回顶部
感染方式 When executed, Win32/FakeAV.JW informs the user that it is downloading "XP Antivirus 2009":
It downloads the following files from the URL www.xpantispyware-2009.com:
Binaries1.cab
Binaries2.cab
Binaries3.cab
It extracts and executes the downloaded files, then creates the following directory containing the malware files:
%Program Files%\XP_AntiSpyware
Note: %Program Files% is a variable location. The malware determines the location of the current Program Files folder by querying the operating system. A typical location for this folder would be C:\Program Files.
It also creates the following files as part of its installation:
%Windows%\wiadebug.log
%Windows%\wiaservc.log
%Documents and Settings%\<username >\Start Menu\Programs\XP_AntiSpyware\Uninstall.lnk
%Documents and Settings%\<username>\Start Menu\Programs\XP_AntiSpyware\XP_AntiSpyware.lnk
Note: %Windows% and %Documents and Settings% are variable locations. The malware determines the locations of these folders by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95, 98 and ME is C:\Windows; and for XP and Vista is C:\Windows. A typical location for Documents and Settings is C:\Documents and Settings.
The trojan adds the registry entry below to automatically execute itself on system start:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XP Antispyware 2009 = "%Program Files%\XP_AntiSpyware\XP_AntiSpyware.exe" /hide"
It also adds the following registry entries:
HKCU\Control Panel\don't load\scui.cpl = "No"
HKCU\Control Panel\don't load\wscui.cpl = "No"
HKLM\SOFTWARE\XP_Antispyware
HKLM\SOFTWARE\XP_Antispyware\info = "<date of infection >"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XP_AntiSpyware
Additionally, the trojan displays the user interface for "XP Antivirus 2009", where it pretends to scan the system while reporting numerous 'infections':
返回顶部
有效负载 Disables Security NotificationsWin32/FakeAV.JW disables the Windows Firewall, updates, and antivirus reports by modifying the registry entries below:
HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify = dword:00000001
Displays False WarningsWin32/FakeAV.JW displays a fake Windows Security Center:
as well as warnings about fake infections:
It also displays popup messages in the taskbar that inform the user of false infections:
Privacy alert!
Your system was found to be infected with intercepting programs. These can log your activity and damage your privacy. Click here for XP Antispyware 2009 spyware removal.
------------------------------------------------------------
Trojan detected!
A piece of malicious code was found in your system which can replicate itself if no action is taken. Click here to have your system cleaned by XP Antispyware 2009.
------------------------------------------------------------
Spyware alarm!
Our scan has reported that pieces of malicious spyware code are present on your hard drive. To get rid of security threats, click here for a XP Antispyware 2009 scan.
------------------------------------------------------------
Privacy is at risk!
Attention, keylogging and intercepting scripts were detected. Your private data may be disclosed to third parties. Click here and XP Antispyware 2009 will remove the infection.
Downloads and Executes Arbitrary FilesWin32/FakeAV.JW attempts to access the following websites to report its activities and to download additional rogue software:
domake-progress.com
do-managedscan.com
domanaged-scan.com
do-fixed-progress
do-monster-scan.com
xp-as-2009.com
xpas2009.com
xpantispyware-2009.com
xp-antispyware-2009.com
xp-antispyware2009.com
xpas-2009.com
xp-as2009.com
返回顶部
其他信息 Below is a screenshot of the website that attempts to entice users to download the trojan. Product certifications displayed in the website are fake and designed to scam unsuspecting users:
The following are additional images of Win32/FakeAV.JW running on an affected system:
Analysis by Zarestel Ferrer