TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
TROJ_FAKEALER.HO
Overview
Solution
Technical Details

File type: PE

Memory resident:  Yes

Size of malware: 9,467,904 Bytes

Initial samples received on: Aug 5, 2008

Related toTROJ_RENOS.ADX

Details:

Arrival Details

This Trojan may be downloaded from remote sites by the Trend Micro detection TROJ_RENOS.ADX.

Installation

This Trojan installs itself as a fake antivirus application named ANTIVIRUS XP 2008. It shows fake alert pop-ups stating that the affected system is infected with several viruses.

It then leads the user to a spoofed antivirus application window.

When the user tries to remove the viruses, it will prompt the user to pay for the service before cleaning the infection.

It creates the following folders:

  • %Application Data%\rhcpu4j0etu4
  • C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008
  • %Program Files%\rhcpu4j0etu4

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003. %Program Files% is the default Program Files folder, usually C:\Program Files.)

It drops a copy of itself as %Program Files%\rhcpu4j0etu4.exe. It also drops the following non-malicious components:

  • %Application Data%\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
  • %Program Files%\rhcpu4j0etu4\database.dat
  • %Program Files%\rhcpu4j0etu4\license.txt
  • %Program Files%\rhcpu4j0etu4\MFC71.dll
  • %Program Files%\rhcpu4j0etu4\MFC71ENU.DLL
  • %Program Files%\rhcpu4j0etu4\msvcp71.dll
  • %Program Files%\rhcpu4j0etu4\msvcr71.dll
  • %Program Files%\rhcpu4j0etu4\rhcpu4j0etu4.{BLOCKED}e.local
  • %Program Files%\rhcpu4j0etu4\Uninstall.exe

Autostart Techniques

This Trojan creates the following registry entry to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
SMrhcpu4j0etu4 = "%Program Files%\rhcpu4j0etu\rhcpu4j0etu4.exe"

Other System Modifications

This Trojan creates the following registry entries and key as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\rhcpu4j0etu4
DisplayName = "AntivirXP08"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\rhcpu4j0etu4
UninstallString = "%Program Files%\rhcpu4j0etu4uninstall.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\rhcpu4j0etu4

Affected Platforms

This Trojan runs on Windows 98, ME, NT, 2000, XP, and Server 2003.

Analysis By: Hazel Mariscal

Revision History:

First pattern file version: 5.458.01
First pattern file release date: Aug 05, 2008

For additional information about this threat, see:
Overview
Solution

Search a new malware

Tell us how we did. Take our quick survey.