[Symptom of Infection]
Spyware.FraudLoad.Do is installed without user agreement, and downloads and executes Paladin Antivirus.
The downloaded Paladin Antivirus popups warning message regularly, and disables the desktop.
- It adds itself to registry for automatic execution on system boot.
[PIC 1] Installation
[PIC 2] Scan Feature
[PIC 3] Similar UI to MS security center
[PIC 4] Disable desktop regularly 1
[PIC 5] Disable desktop regularly 2
[PIC 6] Disable desktop regularly 3
[PIC 7] Warning message 1
[PIC 8] Warning message 2
[PIC 9] Warning message 3
[PIC 10] Warning message 4
[PIC 11] Created icons
[PIC 12] Purchase Feature
<Related URL>
hxxp://(...).cn/readdatagateway.php?type=(...)
hxxp://(...).cn/pav_db
hxxp://(...).cn/readdatagateway.php?type=(...)&version=3.0
hxxp://(...).cn/pav_ext
hxxp://(...).cn/pav_hook
hxxp://(...).cn/pav_un
hxxp://(...).cn/pav_main
<File>
[Spyware.FraudLoad.Do] creates files like below.
(Quick Launch Folder)\Paladin Antivirus.lnk
(Temp Folder)\4otjesjty.mof
(Temp Folder)\pav.dat
(Temp Folder)\pavr.dat
(Temp Folder)\(Random Name).tmp
(Temp Folder)\(Random Name).tmp
(Temp Folder)\(Random Name).tmp
(Temp Folder)\(Random Name).tmp
(Temp Folder)\(Random Name).tmp
(Desktop Folder)\Paladin Antivirus Support.lnk
(Desktop Folder)\Paladin Antivirus.lnk
(All User Account Folder)\Desktop\nudetube.com.lnk
(All User Account Folder)\Desktop\pornotube.com.lnk
(All User Account Folder)\Desktop\youporn.com.lnk
(Temp Folder)\1.ico
(Temp Folder)\2.ico
(Temp Folder)\3.ico
(Temp Folder)\dhdhtrdhdrtr5y
(Temp Folder)\eventcreatexp.exe
<Registry>
[Spyware.FraudLoad.Do] creates registries like below.
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\SimpleShlExt
HKLM\SOFTWARE\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SimpleShlExt
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Paladin Antivirus
HKLM\SOFTWARE\Paladin Antivirus
HKCU\Software
Name: eee0bd2f-ff2e-46ef-83fb-d4fda84462a3
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Name: eventcreatexp.exe
Value: "(Temp Folder)\eventcreatexp.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Name: Paladin Antivirus
Value: "(Programs Folder)\Paladin Antivirus\pav.exe" -noscan"
<Folder>
[Spyware.FraudLoad.Do] creates folders like below.
(User Account Folder)\Startup\Programs\Paladin Antivirus
(Programs Folder)\Paladin Antivirus
<Notation>
- "(All Users Account Folder)" could be different by user settings, and generally this is "C:\Documents and Settings\(All Users Account)".
- "(Desktop Folder)"could be different by OS and generally this is "C:\Documents and Settings\(User Account)\Desktop".
- "(Quick Launch Folder)" could be different by OS(or User), and generally this is "C:\Documents and Settings\(User Account)\Application Data\Microsoft\Internet Explorer\Quick Launch".
- "(Temp Folder)" could be different by OS, and generally this is "C:\Documents and Settings\(User Account)\Local Settings\Temp".
- "(Programs Folder)" could be different by OS and generally this is "C:\Program Files".
- "(Windows Folder)" could be different by OS and generally this is "C:\Windows".
- "(System Folder)" could be different by OS and generally this is "C:\Windows\System32"
|
HOME > Security Info
