[INFO] AnalystName=Andrei Brasoveanu AnalystEMailID=brasoveanua@comodo.com Team=Romania Date=30-JUN-2010 Type=TrojWare Platform=Win32 SubType= Family=Antavmu Variant= [OVERVIEW] This is a trojan program and it's main purpose is to disable AntiMalware softwares, firewalls and other security related applications, in order to download and remotely execute other malicious files. [TECHNICAL_DESCRIPTION] This trojan firsts determines if a AntiMalware product is installed in user system. If so, it attempts to compromise its functionality. Since most products cannot be directly terminated, it usually overides the Windows 'host-file' and adds new entries there, so that any new product updates are requested from the local-host (loopback IP adress 127.0.0.1). It registers a new executable file with pseudo-legitimate name ("winlogon.exe","svc.exe", "svchosts.exe",explorer.exe) in the start-up list, to ensure that the trojan is beeing run every time the computer starts. This file is usually located either in the %SystemRoot%\System32 folders or in the %appdata%/%temp% sub-directories under the user profile. Also, it can also disable the Windows Firewall, Exceptions and Notifications. Registry keys added: HKLM\SYSTEM\CurrentControlSet\Services\Felav Registry Values Added: HKLM\SOFTWARE\Microsoft\Felav\zaki: "¥—wQ­’Z‰" HKLM\SOFTWARE\Microsoft\Felav\vylid: "“|r¾­g ~¶eĞ®×}”¦›®º¦…·²¸ä§Èœ‡}œ" HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\WINDOWS\Driver Cache\explorer.exe: "C:\WINDOWS\Driver Cache\explorer.exe:*:Enabled:Explorer" HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\Driver Cache\explorer.exe: "C:\WINDOWS\Driver Cache\explorer.exe:*:Enabled:Explorer" HKLM\SYSTEM\ControlSet001\Services\Felav\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 HKLM\SYSTEM\ControlSet001\Services\Felav\Type: 0x00000010 HKLM\SYSTEM\ControlSet001\Services\Felav\Start: 0x00000002 HKLM\SYSTEM\ControlSet001\Services\Felav\ErrorControl: 0x00000000 HKLM\SYSTEM\ControlSet001\Services\Felav\ImagePath: "%UserProfile%\Desktop\8ec12fa04cbf501c414520e709373389d70b1596.exe" HKLM\SYSTEM\ControlSet001\Services\Felav\DisplayName: "DirectX Service" HKLM\SYSTEM\ControlSet001\Services\Felav\ObjectName: "LocalSystem" HKLM\SYSTEM\ControlSet001\Services\Felav\Description: "Improve the performance of games and multimedia programs" Files Added: %systemroot%\Driver Cache\explorer.exe [SYMPTOMS] - [DISINFECTION] Remove explorer.exe from %systemroot%\Driver Cache Install COMODO Internet Security and scan with COMODO AntiVirus to remove these threats.