[INFO] AnalystName=RAJA BABU .A AnalystEMailID=rajababua@comodo.com Team=India Date=12-JAN-2010 Type=TrojWare Platform=Win32 SubType=Downloader Family=FraudLoad Variant= [OVERVIEW] This Trojan Program is a downloader. Once it gets on a computer it modifies the Antivirus, and Windows Firewall notification values in the registry to disable them. Then it displays false notifications on the desktop. If the user clicks on the diplay notifications, it downloads and installs a Rogue Antivirs, Antispyware, Registry cleaner, or any other malwares from an remote server without user’s permission. [TECHNICAL_DESCRIPTION] Registry Keys added: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemSecurity2009 HKEY_LOCAL_MACHINE\SOFTWARE\*Random number* Registry Values added: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*Random number*: "%All Users%\%Application Data%\*Random number*\*Random number*.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemSecurity2009\DisplayName: "SystemSecurity2009" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemSecurity2009\ShortcutPath: "%Start Menu%\Programs\System Security\\System Security" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemSecurity2009\UninstallString: "%Start Menu%\Programs\System Security\\System Security" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemSecurity2009\DisplayIcon: "%All Users%\Application Data\*Random number*\*Random number*,0" HKEY_LOCAL_MACHINE\SOFTWARE\*Random number*\pc1*Random number*ins: 0x00000001 Files Added: %All Users%\%Application Data%\*Random number*\*Random number*.exe %All Users%\%Application Data%\*Random number*\*Random number*.glu %All Users%\%Application Data%\*Random number*\pc*Random number*cnf %All Users%\%Application Data%\*Random number*\pc*Random number*ins Shortcut Created: %Desktop%\System Security 2009.lnk %Start Menu%\Programs\System Security\System Security Mutex Objects Created: AV32$INC AV32$ADW [SYMPTOMS] Displays fake alerts to entice the user into buying a product to "repair" malware problems. Then it launches the System Secuirty to show fake malware scan reports. It pops up the registration panel to Activate antivirus protection. [DISINFECTION] Delete the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*Random number* Delete the following folder and files %All Users%\%Application Data%\*Random number*\ Disable System Restore (Windows Me/XP) Disable System Restore under Windows Me: Point to Start, Settings, and Control Panel. Double-click 'System', then click on the 'Performance' tab. Click 'File System' then click the 'Troubleshooting' tab. Select 'Disable System Restore' and click 'Apply'. Restart your system. Disable System Restore under Windows XP: Point to Start, Control Panel, Performance and Maintenance. Double-click “System”, then select the System Restore tab. Select the 'Turn off System Restore” on all drives box. Click Apply. Click Yes. Restart your system.