;Template Description for Analyst: ;AnalystName: Enter your complete name ;AnalystEMailID: EMail ID of analyst ;Team: Specify team you belong to China, India, Romania or Ukraine ;Date: Define date in dd-mmm-yyy format, when you write or update this description, i.e. 10-JAN-2010 ;Type: This should come from malware name, like for Virus.Win32.Virut, Type is Virus ;Platform: This is always fixed as Win32 as of now ;Family: As this description belongs to ;Variant: If you are writing for a specific variant in a family, mention so, like Virus.Win32.Virut.CE ;OVERVIEW: Give a brief overview of malware behavior ;TECHNICAL_DESCRIPTION: Give complete technical description ;SYMPTOMPS: In case system is infected with malware and there are any visible symptomps, which can be identified by end user, mention so, if any ;DISINFECTION: If there are manual steps which user can use to remove malware, like remove certain registry entries or files, should be mentioned here. ; ;http://www.viruslist.com/en/viruses/encyclopedia?virusid=21782790 link's "Removal instructions" can be good example. ;Here are few example links, where other vendors have published information in various ;http://www.symantec.com/security_response/writeup.jsp?docid=2009-020411-2802-99 ;http://www.f-secure.com/v-descs/virus_w32_virut.shtml ;http://vil.nai.com/vil/content/v_154029.htm ;http://www.avast.com/eng/win32beagle.html ;http://free.avg.com/ww-en/66558 ;http://www.viruslist.com/en/viruses/encyclopedia?virusid=21782790 ;This ini file should be filled for every major variant and be attached to related ticket in trac [INFO] AnalystName=Shiv Chand.k AnalystEMailID=shivc@comodo.com Team=India Date=12-JAN-2010 Type=TrojWare Platform=Win32 SubType= Family=FraudPack Variant= [OVERVIEW] This trojan program shows a fake warning message, alarming the user that their machine is infected or at risk. The intention behind all the fake messages is to drive users to buy the advertised fake antispyware product. [TECHNICAL_DESCRIPTION] Registry Keys added: HKLM\SOFTWARE\%8-digit random character string% Registry Values added: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\%8-digit random character string%: "%ALLUSERSPROFILE%\APPLIC~1\%8-digit random character string%\%8-digit random character string%.exe" Files added: %Desktop%\Security Tool.lnk %Start Menu%\Programs\Security Tool.lnk %ALLUSERSPROFILE%\Application Data\%8-digit random character string%\%8-digit random character string%.exe Folders added: %ALLUSERSPROFILE%\Application Data\%8-digit random character string% It hijacks the desktop background with an image alerting the user that their computer system has been infected with spyware. It also changes settings of windows which includes, disabling permissions for the user to change the background image and setting the active desktop to 'show web content'. While active, then it also occasionally displays popup advertisements and attempts to connect to a few remote sites. It creates copy of itself %ALLUSERSPROFILE%\Application Data\%8-digit random character string%\%8-digit random character string%.exe Folder It also Creates a startup registry entry for it. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\%8-digit random character string%: "%drive%\DOCUME~1\ALLUSE~1\APPLIC~1\%8-digit random character string%\%8-digit random character string%.exe" Mutex object was created: "Security Tool". Creates Security Tool.lnk file in desktop and start menu. It connects with following Websites hxxp://www.test< removed >.com hxxp://www.in< removed >.com hxxp://www.in< removed >.com hxxp://www.support< removed >.com [SYMPTOMS] Change of Desktop background Image. Disable of right Clicks on Desktop. Shows a fake warning message. [DISINFECTION] Change Wallpaper using control Panel->Display. Remove startup registry entry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\%8-digit random character string%: "%ALLUSERSPROFILE%\APPLIC~1\%8-digit random character string%\%8-digit random character string%.exe" Remove Folder %ALLUSERSPROFILE%\Application Data\%8-digit random character string% Remove Security Tool.lnk file from desktop and start menu.