Win32/FakeVimes has been distributed with many different names. The name used by the malware, the user interface and other details vary to reflect each variant's individual branding. The following details describe Win32/FakeVimes when it is distributed with the name "Security Master AV".
Installation
SecurityMasterAV creates the following folders:
For example:
- %AppData%\0e0a1
- %AppData%\SMRMHWAV
It creates the following shortcuts:
- <Desktop>\Security Master AV.lnk
- %AppData%\Microsoft\Internet Explorer\Quick Launch\Security Master AV.lnk
- <start menu>\Security Master AV.lnk
- <start menu>\Programs\Security Master AV.lnk
The shortcut might look similar to the following:
The Start Menu entry might look similar to the following:
SecurityMasterAV also creates the following files:
For example:
SecurityMasterAV modifies the following registry entry so that it runs each time you start your PC:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Security Master AV"
With data: ""%ALLUSERSPROFILE%\Application Data\0e0a1\SM755.exe" /s /d"
When installed, it might also show a task bar balloon such as the following:
Payload
Displays false alerts
This trojan shows you a fake security center and recommends you install "Security Master AV":
If you clicks on "How does Antivirus Protection help protect my computer", the trojan opens a web browser to the site "securitymasterav.com":
It might also display fake warnings about security threats such as the following:
Modifies Windows settings
This trojan modifies the registry to enable "Security Master AV" to replace menus, toolbars, and context menus used by MSHTML:
Adds key: "{3F2BBC05-40DF-11D2-9455-00104BC936FF}"
To subkey: HKCR\CLSID
In subkey: HKCR\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32
Sets value: "(Default)"
With data: "<path and file name of Win32/FakeVimes when first run>"
In subkey: HKCR\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
Sets value: "(Default)"
With data: "Implements DocHostUIHandler
In subkey: HKCR\setup.DocHostUIHandler\Clsid
Sets value: "(Default)"
With data: "{3F2BBC05-40DF-11D2-9455-00104BC936FF}"
Lowers web browser security
This trojan modifies registry data to prevent a warning being shown when files are downloaded that aren't digitally signed:
Creates value: "CheckExeSignatures"
With data: "no"
In subkey: HKCU\Software\Microsoft\Internet Explorer\Download
Creates value: "RunInvalidSignatures"
With data: "1"
In subkey: HKCU\Software\Microsoft\Internet Explorer\Download
Modifies Internet Explorer settings
This trojan modifies registry data to change the search options for +.
In subkey: HKCU\Software\Microsoft\Internet Explorer\SearchScopes
Sets value: "URL"
With data: "http://findgala.com/?&uid=7&q={searchTerms}"
In subkey: HKCU\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes
Sets value: "URL"
With data: "http://findgala.com/?&uid=7&q={searchTerms}"
The trojan makes the following additional changes to the registry:
In subkey: HKCU\Software\Microsoft\Internet Explorer
Sets value: "PRS"
With data: "http://127.0.0.1:27777/?inj=%ORIGINAL%"
Bypasses Windows firewall
This trojan adds itself to the list of applications allowed to bypass the Windows firewall:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "<path and file name of FakeVimes when first run>"
With data: "<path and file name of FakeVimes when first run>*:Enabled:Security Master AV"
Modifies HOSTS file
This trojan adds the following lines to your PC's HOSTS file, redirecting visits to the following web sites to the IP address 74.125.45.100:
- 74.125.45.100 4-open-davinci.com
- 74.125.45.100 securitysoftwarepayments.com
- 74.125.45.100 privatesecuredpayments.com
- 74.125.45.100 secure.privatesecuredpayments.com
- 74.125.45.100 getantivirusplusnow.com
- 74.125.45.100 secure-plus-payments.com
- 74.125.45.100 www.getantivirusplusnow.com
- 74.125.45.100 www.secure-plus-payments.com
- 74.125.45.100 www.getavplusnow.com
- 74.125.45.100 safebrowsing-cache.google.com
- 74.125.45.100 urs.microsoft.com
- 74.125.45.100 www.securesoftwarebill.com
- 74.125.45.100 secure.paysecuresystem.com
- 74.125.45.100 paysoftbillsolution.com
- 74.125.45.100 protected.maxisoftwaremart.com
- 93.174.89.11 www.google.com
- 93.174.89.11 www.google.be
- 93.174.89.11 google.com.br
- 93.174.89.11 www.google.com.br
Disables services and applications
If your PC is infected with this trojan and you try to run Task Manager, nothing will happen.
The trojan also creates the following debugger entry to run "svchost.exe" instead of the requested executable:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Sets value: "debugger"
With data: "svchost.exe"
It creates registry data to run "svchost.exe" when utilities, applications or services such as the following are run:
_avp32.exe |
_avpcc.exe |
_avpm.exe |
a.exe |
aavgapi.exe |
aawtray.exe |
about.exe |
ackwin32.exe |
ad-aware.exe |
adaware.exe |
advxdwin.exe |
adwareprj.exe |
agent.exe |
agentsvr.exe |
agentw.exe |
alertsvc.exe |
alevir.exe |
alogserv.exe |
alphaav |
alphaav.exe |
aluschedulersvc.exe |
amon9x.exe |
anti-trojan.exe |
anti-virus professional.exe |
antispywarxp2009.exe |
antivirus.exe |
antivirus_pro.exe |
antivirusplus |
antivirusplus.exe |
antiviruspro_2010.exe |
antivirusxp |
antivirusxp.exe |
antivirusxppro2009.exe |
ants.exe |
apimonitor.exe |
apitrap.dll |
aplica32.exe |
apvxdwin.exe |
arr.exe |
arrakis3.exe |
ashavast.exe |
ashbug.exe |
ashchest.exe |
ashcnsnt.exe |
ashdisp.exe |
ashlogv.exe |
ashmaisv.exe |
ashpopwz.exe |
ashquick.exe |
ashserv.exe |
ashsimp2.exe |
ashsimpl.exe |
ashskpcc.exe |
ashskpck.exe |
ashupd.exe |
ashwebsv.exe |
asste.dll |
aswchlic.exe |
aswregsvr.exe |
aswrundll.exe |
aswupdsv.exe |
atcon.exe |
atguard.exe |
atro55en.exe |
atupdater.exe |
atwatch.exe |
au.exe |
aupdate.exe |
auto-protect.nav80try.exe |
autodown.exe |
autotrace.exe |
autoupdate.exe |
av360.exe |
avadmin.exe |
avcare.exe |
avcenter.exe |
avciman.exe |
avconfig.exe |
avconsol.exe |
ave32.exe |
avengine.exe |
avgcc32.exe |
avgchk.exe |
avgcmgr.exe |
avgcsrvx.exe |
avgctrl.exe |
avgdumpx.exe |
avgemc.exe |
avgiproxy.exe |
avgnsx.exe |
avgnt.exe |
avgrsx.exe |
avgscanx.exe |
avgserv.exe |
avgserv9.exe |
avgsrmax.exe |
avgtray.exe |
avgui.exe |
avgupd.exe |
avgw.exe |
avgwdsvc.exe |
avkpop.exe |
avkserv.exe |
avkservice.exe |
avkwctl9.exe |
avltmain.exe |
avmailc.exe |
avmcdlg.exe |
avnotify.exe |
avnt.exe |
avp32.exe |
avpcc.exe |
avpdos32.exe |
avpm.exe |
avptc32.exe |
avpupd.exe |
avsched32.exe |
avste.dll |
avsynmgr.exe |
avupgsvc.exe |
avwebgrd.exe |
avwin.exe |
avwin95.exe |
avwinnt.exe |
avwsc.exe |
avwupd.exe |
avwupd32.exe |
avwupsrv.exe |
avxmonitor9x.exe |
avxmonitornt.exe |
avxquar.exe |
b.exe |
backweb.exe |
bargains.exe |
bd_professional.exe |
bdagent.exe |
bdfvcl.exe |
bdfvwiz.exe |
bdinprocpatch.exe |
bdmcon.exe |
bdmsnscan.exe |
bdreinit.exe |
bdsubwiz.exe |
bdsurvey.exe |
bdtkexec.exe |
bdwizreg.exe |
beagle.exe |
belt.exe |
bidef.exe |
bidserver.exe |
bipcp.exe |
bipcpevalsetup.exe |
bisp.exe |
blackd.exe |
blackice.exe |
blink.exe |
blss.exe |
bootconf.exe |
bootwarn.exe |
borg2.exe |
bpc.exe |
brasil.exe |
brastk.exe |
brw.exe |
bs120.exe |
bspatch.exe |
bundle.exe |
bvt.exe |
c.exe |
cavscan.exe |
ccapp.exe |
ccevtmgr.exe |
ccpxysvc.exe |
ccsvchst.exe |
cdp.exe |
cfd.exe |
cfgwiz.exe |
cfiadmin.exe |
cfiaudit.exe |
cfinet.exe |
cfinet32.exe |
cfp.exe |
cfpconfg.exe |
cfplogvw.exe |
cfpupdat.exe |
cl.exe |
claw95.exe |
claw95cf.exe |
clean.exe |
cleaner.exe |
cleaner3.exe |
cleanielow.exe |
cleanpc.exe |
cleanup.dll |
click.exe |
cmd32.exe |
cmdagent.exe |
cmesys.exe |
|
cmgrdian.exe |
cmon016.exe |
connectionmonitor.exe |
control |
cpd.exe |
cpf9x206.exe |
cpfnt206.exe |
crashrep.exe |
csc.exe |
cssconfg.exe |
cssupdat.exe |
cssurf.exe |
ctrl.exe |
cv.exe |
cwnb181.exe |
cwntdwmo.exe |
d.exe |
datemanager.exe |
dcomx.exe |
defalert.exe |
defscangui.exe |
defwatch.exe |
deloeminfs.exe |
deputy.exe |
divx.exe |
dllcache.exe |
dllreg.exe |
doors.exe |
dop.exe |
dpf.exe |
dpfsetup.exe |
dpps2.exe |
driverctrl.exe |
drwatson.exe |
drweb32.exe |
drwebupw.exe |
dssagent.exe |
dvp95.exe |
dvp95_0.exe |
ecengine.exe |
efpeadm.exe |
egui.exe |
ekrn.exe |
emsw.exe |
enc98.exe |
ent.exe |
esafe.exe |
escanhnt.exe |
escanv95.exe |
espwatch.exe |
ethereal.exe |
etrustcipe.exe |
evpn.exe |
exantivirus-cnet.exe |
exe.avxw.exe |
expert.exe |
explore.exe |
f-agnt95.exe |
f-prot.exe |
f-prot95.exe |
f-stopw.exe |
fact.exe |
fameh32.exe |
fast.exe |
fch32.exe |
fih32.exe |
findviru.exe |
firewall.exe |
fixcfg.exe |
fixfp.exe |
fnrb32.exe |
fp-win.exe |
fp-win_trial.exe |
fprot.exe |
frmwrk32.exe |
frw.exe |
fsaa.exe |
fsav.exe |
fsav32.exe |
fsav530stbyb.exe |
fsav530wtbyb.exe |
fsav95.exe |
fsgk32.exe |
fsm32.exe |
fsma32.exe |
fsmb32.exe |
fullsoft.dll |
gator.exe |
gav.exe |
gbmenu.exe |
gbn976rl.exe |
gbpoll.exe |
gbrowser.dll |
generics.exe |
gmt.exe |
guard.exe |
guarddog.exe |
guardgui.exe |
hacktracersetup.exe |
hbinst.exe |
hbsrv.exe |
history.exe |
homeav2010.exe |
hotactio.exe |
hotpatch.exe |
htlog.exe |
htmlmarq.ocx |
htmlmm.ocx |
htpatch.exe |
hwpe.exe |
hxdl.exe |
hxiul.exe |
iamapp.exe |
iamserv.exe |
iamstats.exe |
ibmasn.exe |
ibmavsp.exe |
icload95.exe |
icloadnt.exe |
icmon.exe |
icsupp95.exe |
icsuppnt.exe |
identity.exe |
idle.exe |
iedll.exe |
iedriver.exe |
ieshow.exe |
iface.exe |
ifw2000.exe |
inetlnfo.exe |
infus.exe |
infwin.exe |
init.exe |
init32.exe |
install.exe |
install1.exe |
install2.exe |
install3.exe |
install4.exe |
install5.exe |
intdel.exe |
intren.exe |
iomon98.exe |
istsvc.exe |
jammer.exe |
jdbgmrg.exe |
jedi.exe |
jsrcgen.exe |
kavlite40eng.exe |
kavpers40eng.exe |
kavpf.exe |
kazza.exe |
keenvalue.exe |
kerio-pf-213-en-win.exe |
kerio-wrl-421-en-win.exe |
kerio-wrp-421-en-win.exe |
killprocesssetup161.exe |
launcher.exe |
ldnetmon.exe |
ldpro.exe |
ldpromenu.exe |
ldscan.exe |
licmgr.exe |
livesrv.exe |
lnetinfo.exe |
loader.exe |
localnet.exe |
lockdown.exe |
lockdown2000.exe |
lookout.exe |
lordpe.exe |
lsetup.exe |
luall.exe |
luau.exe |
lucomserver.exe |
luinit.exe |
luspt.exe |
malwareremoval.exe |
mapisvc32.exe |
mcagent.exe |
mcmnhdlr.exe |
mcmscsvc.exe |
mcnasvc.exe |
mcproxy.exe |
mcsacore.exe |
mcshell.exe |
mcshield.exe |
mcsysmon.exe |
mctool.exe |
mcupdate.exe |
mcvsrte.exe |
mcvsshld.exe |
md.exe |
mfin32.exe |
mfw2en.exe |
mfweng3.02d30.exe |
mgavrtcl.exe |
mgavrte.exe |
|
mghtml.exe |
mgui.exe |
minilog.exe |
mmod.exe |
monitor.exe |
moolive.exe |
mostat.exe |
mpfagent.exe |
mpfservice.exe |
mpfsrv.exe |
mpftray.exe |
mrflux.exe |
mrt.exe |
msa.exe |
msapp.exe |
msascui.exe |
msbb.exe |
msblast.exe |
mscache.exe |
msccn32.exe |
mscman.exe |
msconfig |
msdm.exe |
msdos.exe |
msfwsvc.exe |
msiexec16.exe |
mslaugh.exe |
msmgt.exe |
msmpeng.exe |
msmsgri32.exe |
msseces.exe |
mssmmc32.exe |
mssys.exe |
msvxd.exe |
mu0311ad.exe |
mwatch.exe |
n32scanw.exe |
nav.exe |
navap.navapsvc.exe |
navapsvc.exe |
navapw32.exe |
navdx.exe |
navlu32.exe |
navnt.exe |
navoptrf.dll |
navstub.exe |
navw32.exe |
navwnt.exe |
nc2000.exe |
ncinst4.exe |
ndd32.exe |
neomonitor.exe |
neowatchlog.exe |
netarmor.exe |
netd32.exe |
netinfo.exe |
netmon.exe |
netscanpro.exe |
netspyhunter-1.2.exe |
netutils.exe |
nisserv.exe |
nisum.exe |
nmain.exe |
nod32.exe |
normist.exe |
norton_internet_secu_3.0_407.exe |
notstart.exe |
npf40_tw_98_nt_me_2k.exe |
npfmessenger.exe |
nprotect.exe |
npscheck.exe |
npssvc.exe |
nsched32.exe |
nssys32.exe |
nstask32.exe |
nsupdate.exe |
nt.exe |
ntrtscan.exe |
ntvdm.exe |
ntxconfig.exe |
nui.exe |
nupgrade.exe |
nvarch16.exe |
nvc95.exe |
nvsvc32.exe |
nwinst4.exe |
nwservice.exe |
nwtool16.exe |
oacat.exe |
oahlp.exe |
oareg.exe |
oasrv.exe |
oaui.exe |
oaview.exe |
ochealthmon.exe |
odsw.exe |
ollydbg.exe |
onsrvr.exe |
optimize.exe |
ostronet.exe |
otfix.exe |
outpost.exe |
outpostinstall.exe |
outpostproinstall.exe |
ozn695m5.exe |
padmin.exe |
panixk.exe |
patch.exe |
pav.exe |
pavcl.exe |
pavfnsvr.exe |
pavproxy.exe |
pavprsrv.exe |
pavsched.exe |
pavsrv51.exe |
pavw.exe |
pc.exe |
pc_antispyware2010.exe |
pccwin98.exe |
pcfwallicon.exe |
pcip10117_0.exe |
pcscan.exe |
pctsauxs.exe |
pctsgui.exe |
pctssvc.exe |
pctstray.exe |
pdfndr.exe |
pdsetup.exe |
peravir.exe |
periscope.exe |
persfw.exe |
personalguard |
personalguard.exe |
perswf.exe |
pf2.exe |
pfwadmin.exe |
pgmonitr.exe |
photohse.exe |
pingscan.exe |
platin.exe |
pop3trap.exe |
poproxy.exe |
popscan.exe |
portdetective.exe |
portmonitor.exe |
powerscan.exe |
ppinupdt.exe |
pptbc.exe |
ppvstop.exe |
prizesurfer.exe |
prmt.exe |
prmvr.exe |
procdump.exe |
processmonitor.exe |
procexplorerv1.0.exe |
programauditor.exe |
proport.exe |
protector.exe |
protectx.exe |
psancu.exe |
psanhost.exe |
psantomanager.exe |
psctrls.exe |
psimsvc.exe |
psksvc.exe |
pspf.exe |
psunmain.exe |
purge.exe |
qconsole.exe |
qh.exe |
qserver.exe |
quick heal.exe |
quickhealcleaner.exe |
rapapp.exe |
rav7.exe |
rav7win.exe |
rav8win32eng.exe |
ray.exe |
rb32.exe |
rcsync.exe |
realmon.exe |
reged.exe |
regedt32.exe |
rescue.exe |
rescue32.exe |
rrguard.exe |
rscdwld.exe |
rshell.exe |
rtvscan.exe |
rtvscn95.exe |
rulaunch.exe |
rwg |
rwg.exe |
safetykeeper.exe |
safeweb.exe |
sahagent.exe |
save.exe |
savearmor.exe |
|
savedefense.exe |
savekeep.exe |
savenow.exe |
sbserv.exe |
sc.exe |
scam32.exe |
scan32.exe |
scan95.exe |
scanpm.exe |
scrscan.exe |
seccenter.exe |
secure veteran.exe |
secureveteran.exe |
security center.exe |
securityfighter.exe |
securitysoldier.exe |
serv95.exe |
setloadorder.exe |
setup_flowprotector_us.exe |
setupvameeval.exe |
sgssfw32.exe |
sh.exe |
shellspyinstall.exe |
shield.exe |
shn.exe |
showbehind.exe |
signcheck.exe |
smart.exe |
smartprotector.exe |
smc.exe |
smrtdefp.exe |
sms.exe |
smss32.exe |
snetcfg.exe |
soap.exe |
sofi.exe |
softsafeness.exe |
sperm.exe |
spf.exe |
sphinx.exe |
spoler.exe |
spoolcv.exe |
spoolsv32.exe |
spywarexpguard.exe |
spyxx.exe |
srexe.exe |
srng.exe |
ss3edit.exe |
ssg_4104.exe |
ssgrate.exe |
st2.exe |
start.exe |
stcloader.exe |
supftrl.exe |
support.exe |
supporter5.exe |
svc.exe |
svchostc.exe |
svchosts.exe |
svshost.exe |
sweep95.exe |
sweepnet.sweepsrv.sys.swnetsup.exe |
symlcnet.dll |
symlcsvc.exe |
symproxysvc.exe |
symtray.exe |
system.exe |
system32.exe |
sysupd.exe |
tapinstall.exe |
taskmgr.exe |
taumon.exe |
tbscan.exe |
tc.exe |
tca.exe |
tcm.exe |
tcore_ebook.dll |
tds-3.exe |
tds2-98.exe |
tds2-nt.exe |
teekids.exe |
tfak.exe |
tfak5.exe |
tfdtctt8.dll |
tgbob.exe |
titanin.exe |
titaninxp.exe |
tpsrv.exe |
trickler.exe |
trjscan.exe |
trjsetup.exe |
trojantrap3.exe |
trustwarrior.exe |
tsadbot.exe |
tsc.exe |
tvmd.exe |
tvtmd.exe |
ua80.exe |
uiscan.exe |
undoboot.exe |
updat.exe |
upgrad.exe |
upgrepl.exe |
utpost.exe |
vbcmserv.exe |
vbcons.exe |
vbe6.dll |
vbust.exe |
vbwin9x.exe |
vbwinntw.exe |
vcsetup.exe |
vet32.exe |
vet95.exe |
vettray.exe |
vfsetup.exe |
vir-help.exe |
virusmdpersonalfirewall.exe |
visthaux.exe |
visthlic.exe |
visthupd.exe |
vnlan300.exe |
vnpc3000.exe |
vpc32.exe |
vpc42.exe |
vpfw30s.exe |
vptray.exe |
vscan40.exe |
vscenu6.02d30.exe |
vsched.exe |
vsecomr.exe |
vshwin32.exe |
vsisetup.exe |
vsmain.exe |
vsmon.exe |
vsserv.exe |
vsstat.exe |
vswin9xe.exe |
vswinntse.exe |
vswinperse.exe |
w32dsm89.exe |
w3asbas.exe |
w9x.exe |
watchdog.exe |
webdav.exe |
webproxy.exe |
webscanx.exe |
webtrap.exe |
wfindv32.exe |
whoswatchingme.exe |
wimmun32.exe |
win-bugsfix.exe |
win32.exe |
win32us.exe |
winactive.exe |
winav.exe |
windll32.exe |
window.exe |
windows police pro.exe |
windows.exe |
wininetd.exe |
wininitx.exe |
winlogin.exe |
winmain.exe |
winppr32.exe |
winrecon.exe |
winservn.exe |
winss.exe |
winssk32.exe |
winssnotify.exe |
winssui.exe |
winstart.exe |
winstart001.exe |
wintsk32.exe |
winupdate.exe |
wkufind.exe |
wnad.exe |
wnt.exe |
wradmin.exe |
wrctrl.exe |
wsbgate.exe |
wscfxas.exe |
wscfxav.exe |
wscfxfw.exe |
wsctool.exe |
wupdater.exe |
wupdt.exe |
wyvernworksfirewall.exe |
xp_antispyware.exe |
xpdeluxe.exe |
xpf202en.exe |
zapro.exe |
zapsetup3001.exe |
zatutor.exe |
zonalm2601.exe |
zonealarm.exe |
~1.exe |
~2.exe |
|
It also creates the following registry entries:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apitrap.dll
Sets value: "CheckAppHelp"
With data: "dword:00000001"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE
Sets value: "DisableHeapLookAside"
With data: "1"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE
Sets value: "GlobalFlag"
With data: "0x00200000"
Analysis by Patrick Nolan