Trojan.Win32.FraudPack.bkhe

Details

This Trojan has a malicious payload. It is a Windows dynamic link library (DLL) file. It is 361216 bytes in size.


Once launched, the program will display a message stating that the computer has been infected by malicious programs:




The message is displayed even if there are no other malicious programs on the computer.

If the user clicks the message, the program will display a license agreement in a new window:




The program then starts to load a fake antivirus solution without waiting for the user’s consent:


It is downloaded from one of the following addresses (depending on the file which contains the malicious program):

http://searchbad.org
http://searchfinddeliver.org
http://finderwid.org
http://searchannoying.org
http://fastoutostop.com

The following files are downloaded:

/avt/avt_db
/avt/avt_ext
/avt/avt_hook
/avt/avt_un
/avt/avt_main

The downloaded program is then installed into the directory:

%ProgramFiles%\AnVi

In order to ensure that it is launched automatically when the system is rebooted, the Trojan adds a link to the program which has just been installed to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Antivirus"="%ProgramFiles%\AnVi\avt.exe\ -noscan"

At the time of writing the following program could be downloaded and installed from the above addresses:




This program informs the user of the presence of various malicious programs in the system even if there are no such programs on the computer. In addition, it displays alerts about a network attack on the computer and the existence of a keylogger in the system:






The program states that the full version has to be activated in order to remove these supposed “threats”. The user is prompted to make an electronic transaction using a bank card.



The program also prevents Windows Task Manager from being launched by modifying the following system registry key values:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000001
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"DisableTaskMgr"=dword:00000001
In addition, the malicious program creates the following system registry key:
[HKLM\SOFTWARE\AnVi]


Remove

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Delete the original malware file which is usually located in the
%TEMP%
folder named as
eapp32hst.dll

2. Enable the launch of Task Manager by restoring the following system registry key values:

3. [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
4. "DisableTaskMgr"=dword:00000000
5. [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
6. "DisableTaskMgr"=dword:00000000
7. Use Task Manager to terminate the process.
8. Delete the

%ProgramFiles%\AnVi
folder with all its contents.

9. Delete the following system registry key parameters:
10. [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
11. "Antivirus"="%ProgramFiles%\AnVi\avt.exe\ -noscan"
12. [HKLM\SOFTWARE\AnVi]
13. Delete all files from the %Temp% directory.

Rootkit.Win32.Stuxnet.a

Details
It is a rootkit which is designed to launch malicious code in the user’s system. It is an NT kernel mode driver. It is 26616 bytes in size.

Infection

The rootkit copies its executable file as:
%System%\drivers\mrxcls.sys

In order to ensure that it is launched automatically when the system is rebooted, the rootkit creates the following service registry key:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls]
"Description"="MRXCLS"
"DisplayName"="MRXCLS"
"ErrorControl"=dword:00000000
"Group"="Network"
"ImagePath"="\\??\\%System%\Drivers\\mrxcls.sys"
"Start"=dword:00000001
"Type"=dword:00000001

It creates the file:

%System%\drivers\mrxnet.sys

– 17400 bytes, defined as Rootkit.Win32.Stuxnet.b

To ensure that it is launched automatically when the system is rebooted, the rootkit creates the following service registry key:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet]
"Description"="MRXCLS"
"DisplayName"="MRXNET"
"ErrorControl"=dword:00000000
"Group"="Network"
"ImagePath"="\\??\\%System%\Drivers\\mrxnet.sys"
"Start"=dword:00000001
"Type"=dword:00000001

It also creates the following files:

%windir%\inf\mdmcpq3.pnf - 4633 bytes.
%windir%\inf\mdmeric3.pnf - 90 bytes.
%windir%\inf\oem6c.pnf - 323848 bytes.
%windir%\inf\oem7a.pnf – 498176 bytes.
which contain the code and encrypted rootkit data.

The rootkit spreads via removable USB devices exploiting the zero-day vulnerability CVE-2010-2568 in LNK files (for more details see here).

For this purpose the malicious code running in the services.exe process monitors the connection of new USB storage devices to the system and if a connection is detected, creates the following files in the root folder of the device:

~wtr4132.tmp
– 513536 bytes, identified as Trojan-Dropper.Win32.Stuxnet.a

~wtr4141.tmp
– 25720 bytes, identified as Trojan-Dropper.Win32.Stuxnet.b

These DLL files are downloaded when the vulnerability is exploited and install the rootkit on the system. Together with these files the shortcuts to the vulnerability are placed in the root of the infected disk:

"Copy of Shortcut to.lnk"
"Copy of Copy of Shortcut to.lnk"
"Copy of Copy of Copy of Shortcut to.lnk"
"Copy of Copy of Copy of Copy of Shortcut to.lnk"

The files are 4171 bytes in size and are detected as Trojan.WinLnk.Agent.i. The vulnerability will be exploited if the user attempts to view the contents of the removable media’s root directory using the file manager with file icons enabled. Once the vulnerability is exploited the rootkit is activated, which instantaneously hides the malicious files.


The rootkit is designed to inject the malicious code into user mode processes. The rootkit downloads the DLL dynamic library to the following system processes:

svchost.exe
services.exe
lsass.exe

After this DLLs are displayed in their module lists with the following names:
kernel32.dll.aslr.
shell32.dll.aslr.

Where rnd stands for a random hexadecimal number. The code being injected is contained in the file:

%WinDir%\inf\oem7A.PNF
It is encrypted.

The injected code contains the main functionality of this malicious program. This includes:

• Propagation via removable media.
• Monitoring of the Siemens Step7 system. For this purpose the rootkit driver injects its intermediary library to the s7tgtopx.exe process instead of the original s7otbxsx.dll, which emulates the work of the following API functions:
• s7_event
• s7ag_bub_cycl_read_create
• s7ag_bub_read_var
• s7ag_bub_write_var
• s7ag_link_in
• s7ag_read_szl
• s7ag_test
• s7blk_delete
• s7blk_findfirst
• s7blk_findnext
• s7blk_read
• s7blk_write
• s7db_close
• s7db_open
• s7ag_bub_read_var_seg
• s7ag_bub_write_var_seg
collecting various information on the work of the system.
• Performing SQL requests. The rootkit receives a list of computers in the local network and checks if the Microsoft SQL server, which services the visualization system for Siemens WinCC operational processes, is launched on any of them. If the server is found, the malware attempts to log in to the database using the WinCCConnect/2WSXcder username and password and then tries to acquire data from the following tables:

• MCPTPROJECT
• MCPTVARIABLEDESC
• MCPVREADVARPERCON
• It collects information from files with the extensions:
• *.S7P
• *.MCP
• *.LDF

which are created using Siemens Step7. The entire computer hard drive is searched for the files.

• It sends the collected data via the Internet to the cybercriminals’ servers in encrypted format.

The rootkit file is signed with the digital signature of Realtek Semiconductor Corp.


Remove Virus

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Delete the original rootkit file (the location will depend on how the program originally penetrated the victim machine).
2. Delete the system registry keys
3. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet]
4. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls]
5. Delete the following files:
6. %System%\drivers\mrxnet.sys
7. %System%\drivers\mrxcls.sys
8. %windir%\inf\mdmcpq3.pnf
9. %windir%\inf\mdmeric3.pnf
10. %windir%\inf\oem6c.pnf
11. %windir%\inf\oem7a.pnf
12. Reboot the computer
13. Disable the display of icons in the file manager to avoid repeated infection.
14. Delete the following files from removable media if there are any:
15. "Copy of Shortcut to.lnk"
16. "Copy of Copy of Shortcut to.lnk"
17. "Copy of Copy of Copy of Shortcut to.lnk"
18. "Copy of Copy of Copy of Copy of Shortcut to.lnk"
19. ~wtr4132.tmp
20. ~wtr4141.tmp

Virus change your data into shortcut (Shortcut Virus)

This Virus Widely spread within Universiti Malaysia Sabah Main Campus. It was built using Visual Basic Programming language that take advantage of 'autorun' function inside Microsoft Windows.

This virus will automatically close the application such as Internet Explorer, Task Manager and most of your .exe file cannot be open even your antivirus.

It spread rapidly because we always share file using ThumbDrive. When your thumbdrive infected with the virus and you plug in into a Computer. That Computer will get Infected too. then, When another ThumbDrive plugged in to that Computer, that Thumbdrive will get infect. All data inside will be hidden & A shortcut that link to the virus file will appear. Clever virus.

This virus trigger a panic especially for them that need the actual data inside the thumbdrive.

Most of them who infected with the virus bring their computer to computer shop for reformatting the Operating System (Windows). this computer virus infection can be disinfect without reformatting your Computer.