Fake-AV Downloader.G

[Serangan Antivirus Palsu]

Sumber Informasi : http://virusindonesia.com/2011/01/04/fakeav-downloader-g-serangan-antivirus-palsu/

FakeAV-Downloader.G. Mungkin Anda sering mendownload freeware/shareware kemudian di-install di komputer Anda, tetapi bagaimana jika software tersebut membutuhkan serial/kode registrasi sampai-sampai tidak bisa di hapus / Uninstall, software seperti itu sudah tentu sangat mengganggu pengguna.

Belakangan ini kami beberapa kali mendapat email dari pembaca yang mengirimkan contoh malware yang berbeda dari biasanya. Sebab sebagian besar sample yang kami terima adalah berupa worm atau virus, sedangkan kali ini berupa sebuah “antivirus”.

A. File Info

Nama: FakeAV-Downloader.G
Asal: Unknown
Ukuran File: 1.60 MB (1,678,848 bytes)
Packer: Unknown
Pemrograman: C++
Icon: Menyerupai aplikasi security
Tipe: Trojan

B. Nama Malware
Sebelumnya kami sudah mendapat beberapa variant FakeAV-Downloader. Kemampuan malware tipe trojan ini adalah menggunakan tipuan untuk mendownload file “update database ” yang menjadi ciri khas antivirus pada umumya. Dengan membawa nama antivirus ternama, membuat user yang mungkin sedang kebingungan karena adanya malware di komputernya, justru akan mendapatkan dua kali serangan malware setelah menjalankan antivirus palsu ini.
C. Companion/File yang dibuat

Setelah aktif di memory, worm ini membuat banyak file dengan ekstensi (.dll / .exe) dan menggunakan nama yang acak ke 3 sub folder seperti:
C:\WINDOWS
aBrIFiyQY.dll, afkwBOhfD.exe, afquDuSe.dll, AGwUU.dll, AjuFji.exe, akVsP.exe, AnPaaALRR.exe, aQqQvPN.dll, AtfsLI.dll, awcem.exe, bgKeWbwU.exe, BgLnlO.dll, BsDWukH.exe, BSnefB.exe, bWhJW.dll, BXYvBEp.dll, ccnCqsRo.exe, cdqfmoM.dll, cfaTbp.exe, CKXEmbjib.exe, CmBbh.exe, CNiHDxDwk.dll, cQYKCVFkV.dll, CSuMVRH.exe, dEEEXcLT.exe, dGMQP.dll, DImtrGPAh.dll, DIUjfK.exe, DkmRlQmD.exe, dNCAI.dll, DTiOxoTum.dll, dYFRUqLgF.exe, eBNkLHSmN.exe, ecuPs.exe, ECWBNfk.dll, edXRCm.dll, EFBVQAdib.dll, efrqPeo.exe, egMHvnNwT.dll, egyrSYL.dll, EmUHiPR.dll, eyodBod.exe, fbIJXj.dll, FBtDOQfjT.dll, frjdMgiV.dll, FTqiwuCNU.dll, fuiLaC.exe, fvFtSVaY.exe, GJpbfeo.exe, gktQf.exe, GliCKeGC.dll, gPddt.exe, gPpdhsOVd.dll, gWlIcuti.exe, GXaoKW.exe, HaGREENVw.dll, HdbwsAr.exe, HEcKGq.exe, hILgt.dll, HLAsaxb.exe, hpDsUt.dll, HqhyOwV.exe, HuJsHFNsA.exe, huvkc.exe, HwGRRrn.exe, HwUqxV.exe, iArtpwytN.exe, IGIiISQko.dll, iHgOF.dll, iJJqW.dll, IKkmH.exe, InfDwuwe.dll, IoQDHPOj.exe, IsWnrCrly.dll, ItgqUQbo.dll, itjVCtL.exe, JcPwG.exe, JHJUN.exe, jlonQ.dll, jMAksN.exe, jMFqDG.exe, JPLNfAK.exe, jQxkkPf.dll, JRAxfO.dll, JTlWNL.dll, jugPP.dll, jXYtXUj.exe, KAgtbOFFN.dll, KBloSFpn.dll, KhrXlOS.dll, KMqGkNT.dll, KNQiXI.dll, kpSfYcxn.exe, ksQLWnPx.dll, KWaIhRmA.dll, KxsSqtGA.exe, KYVMvVf.dll, LBuivMO.exe, LJmVHyOy.exe, LmUieVCvD.exe, LOXNbcBF.exe, LWQrT.exe, mauLRra.exe, mCwVvgOyW.dll, meMVntQFr.exe, MfDXDaJQp.dll, MGpLf.exe, mJbPnAuWP.exe, mNxJATC.dll, mraVnDWM.dll, mSgaBF.exe, namoxNBgw.exe, NJCjVdag.exe, NKdcmk.exe, NMseyXJMQ.exe, NodmP.exe, NOPbhF.exe, NUOcVEo.dll, nXQxMRcyS.dll, ODDMIA.dll, OhkaPAiI.dll, oKiWewDae.dll, oMmDa.exe, omWuQ.dll, ooyJFpTc.exe, OTUCA.exe, pAdUilHN.dll, pjOUr.exe, pktdIUu.dll, pktFHi.dll, pLXOdVy.dll, PPuypaOJ.dll, PQtyRvk.exe, PTyReeJU.exe, PViqt.dll, Qjrwm.dll, qtDolISh.dll, raDqPUexB.dll, rerByB.exe, RHDSlOv.exe, RlFKIkH.exe, RliLfdFHL.dll, RtrcuR.exe, rVXusVD.dll, SgkDXf.dll, SJfrRY.dll, skCxwOmy.exe, SlrKjdOq.dll, SmfBiLAf.dll, sNPwFfPOj.exe, SNqTC.exe, SQgjVglrM.exe, StUDfXter.exe, sUASnms.dll, SwQovYS.dll, system32, SYvri.exe, TaoYkr.dll, TCNpuAy.dll, tGfkbAB.dll, TiXpucJ.dll, ToXmTp.exe, TrUHIN.exe, tSRiJyj.dll, TsTAsj.exe, TTdMFkTsD.exe, tTsuAJKo.exe, TUHCB.dll, UcUYAFVwd.exe, UEbknsR.dll, UGUSTr.dll, UjkKUNO.exe, UkcHyW.exe, ulVvcuChS.dll, uOoliMG.exe, uphGP.exe, uSnsSBC.exe, UtaiFoBhj.dll, uWYbeol.dll, UYEat.dll, VBOvTFIqF.exe, vnEansH.exe, VnITeRBdk.exe, VNXRbF.exe, VqvHhXn.exe, vuvceLU.exe, VXIATUn.exe, wAcFLkD.dll, wbNJOmAmf.dll, WCREYPiw.dll, WftBouxoB.dll, whJUeN.exe, wIOYUHnEN.exe, WKVfq.exe, WloJS.exe, wTBHxhXT.dll, WtuvvJ.exe, wXcsGlYUR.exe, xbhVDpG.exe, xDpClu.dll, XDqFU.dll, xiEbUMtT.dll, xjNJOCA.dll, xkDStBF.exe, XLBHexa.exe, xPdVmRsO.exe, xQxQW.dll, xrJwUGpHX.exe, ycEYX.dll, ycPxP.dll, yDgYSBuXd.exe, yEGERbv.dll, yFWmoaLVX.exe, yIohLsGwt.exe, ylkLe.dll, YNCEPCXH.dll, Ypvhabw.exe, YurrpofWI.exe, YVGdkkA.dll, YwgoKMGF.dll
C:\WINDOWS\system32
AdFlu.dll, AGjIdq.dll, aHRKi.dll, AHsLUuiMN.exe, aIVjcAttD.dll, AkFtDVnIE.exe, aUKFFg.dll, ayGUb.exe, BcLJPDG.exe, bHCcPTtKl.dll, BhttmUcP.exe, bjQqAD.exe, BkXOXDIB.exe, BQKnMsiVy.exe, bWnMkEd.dll, BxepYyifS.dll, CGBJBNvx.exe, cGdHWxJeD.dll, CGhKQU.dll, ChQmMf.exe, cKQKUCps.dll, CkSIKHOKJ.exe, cmjtEJqB.dll, COwlR.dll, cQppfna.dll, CSowpmpOI.exe, CUhYx.exe, CvBFvmke.dll, DBjQM.exe, DJMJtU.dll, dJXTsn.exe, dKIqLHS.dll, doBuRK.dll, doFaKtxuU.dll, dQAKEFi.dll, DreYJ.dll, drivers, DtuQdUWB.exe, DXKxL.dll, DXnJDfiPs.exe, EACqQUCqw.exe, edqlMs.exe, EePVD.dll, eeYhpf.exe, EkLQL.dll, eLQDQG.dll, emjAJqqb.exe, EnOuyTKtw.exe, eoHtAjuk.exe, EPBsp.dll, ePgSNgbW.exe, faQcO.dll, faxDfcf.exe, FCDRbv.exe, fgcoFELjP.exe, fhIet.dll, FKDcA.exe, fMCmSmLf.exe, fnOfeyx.dll, fNVASnQ.dll, FQIxI.dll, FVBDB.dll, fvMUXM.dll, gFAhnXA.dll, GhnTwNMv.dll, GjkNjJ.exe, GKFoBJR.dll, gKHlVXTw.dll, gKxpIn.dll, GKYnurg.exe, gOqCPK.dll, gSnhtAoVC.dll, GSnugOp.exe, gsOpmYt.exe, GwCajJkS.exe, GWTbLMy.exe, GxbIv.exe, GyqPy.exe, HcDwIssoN.dll, hCffwqlPd.dll, HCRUw.exe, hCYGxcNr.exe, HGgXSe.dll, HKiSWgrp.dll, HmausKg.dll, hPGJi.exe, HrbTG.dll, iAflL.dll, iBAhXd.dll, IDEyEm.exe, IdUFBIkk.exe, ieMQPM.dll, igKBB.exe, iGNbKeG.exe, iGwHEMs.exe, IHvJao.dll, IIbqp.dll, iMXNBjkJ.exe, iPmkHTskQ.dll, IqUfOdX.exe, iREuARmf.exe, IrnRpOyO.dll, IshSDTqIw.dll, itRATcUa.exe, IugcCkHFk.dll, IwaEH.exe, IwJQohoLR.dll, iwwkHLots.exe, JCgICwbju.exe, JCqhGLnOB.exe, jdhSv.dll, jfpLlJTY.dll, JHNVxRjeP.exe, jIobcI.dll, jjSpveaa.exe, JNKVtC.dll, JQhwAggo.exe, jRHvGn.exe, JTMEOG.dll, JUmCjkS.dll, jvCTLGa.exe, JxDaBEl.dll, KAAMR.exe, kahWCv.exe, KBlxa.exe, kcdnIIj.exe, kGfBshwIh.dll, KGuXAjXS.dll, KmLJeRdan.dll, KqyqLCrS.exe, kSjCRs.dll, kSohW.dll, kSVFShpu.dll, KTgwRxL.exe, KVRMk.exe, kWdxYTR.exe, kWhocx.dll, LcoXSDf.exe, LGvhMKcpE.dll, LsTld.dll, lSXnxdDO.dll, lVkuL.dll, lYcGuHn.dll, MbwkuyDU.dll, mdtrO.exe, mHxIb.exe, MlYsiACC.dll, MRBJHpwk.dll, mULwnXcCJ.dll, muoseJ.dll, Muway.dll, NbnWk.exe, ncrWr.exe, ndeKXf.exe, nflFxatSA.exe, NGlDI.exe, nidwofS.exe, nIhSEPOCJ.exe, nJoNxb.exe, NOdUONtOQ.exe, nvLchJp.exe, NvxeXSmbx.exe, nxgdWadc.dll, OAgPP.dll, Ochfcem.dll, OhJQAYOc.exe, OiXgfgie.dll, OJnQABDLX.dll, OnjMQof.dll, OvrsdU.exe, OYOioF.exe, oYYNLEo.dll, PjPSrYM.exe, pLmxyu.dll, PnjarnfGu.exe, PpDRwE.dll, pPXbiJ.dll, PQskqYnX.exe, pWvnrvRW.dll, qEkUl.exe, QEXsyG.exe, qJXuJTPLb.dll, QvMIDpQk.dll, rBDVU.exe, RFkVUXL.exe, rFWhWQK.exe, RjFPEf.exe, rKWQdaCTE.exe, rnlXjp.exe, rNUpKVf.exe, rqnbfqee.exe, RSrwt.dll, RTCXhIhD.exe, rWEuG.dll, RXiwBdi.dll, SdoPWuxM.dll, seLtwjRQc.exe, SibvFf.dll, sJCkkoa.exe, smXWxug.dll, SnjVj.exe, srXlObet.dll, SvNelnOmd.exe, sxGcvX.dll, tanMCob.dll, tdOXkAqcu.dll, TEddcY.exe, tEmQDr.exe, Tfkqqdys.dll, TjwUlFt.exe, TlOEum.exe, tmdgc.exe, tNhMSJO.exe, TOIRNm.exe, tTfFXxOU.dll, TXpQq.exe, tyaePbhl.exe, uabhXfsj.dll, ufrclvJ.dll, UhaMfU.dll, uMPbG.exe, UPKnqEe.dll, uQBLufvl.dll, UXIHqkHJ.exe, VCaUxDAM.exe, vCSKMoVhH.exe, vHdmMjqy.exe, vOMhQucuJ.dll, vVCHo.exe, VxdnLJJ.dll, wBIKgUq.dll, WfABWQ.dll, wjhMnn.exe, WJord.dll, wlQtlFG.exe, WOmIUjkUY.exe, WrpQhNG.exe, XcMnkcy.dll, xDmMbwp.exe, xkjALe.dll, XkJIXcK.dll, xnLEOfou.exe, xnqCJ.exe, XTKXb.exe, XvSnm.exe, XYqHWe.exe, YdFjVF.exe, YDNUWEjDf.dll, YGxtyy.exe, yrfyvGP.exe, yvychuMC.exe
C:\WINDOWS\system32\drivers
AaUat.exe, aIoyuM.dll, aQdTu.dll, aWetMxvmP.exe, axfFtwra.dll, BasbyV.dll, Bcatx.exe, BEBJoS.dll, biCYNieU.exe, BKJFxDWrO.dll, BLfTvhA.dll, BtXiWvRT.exe, bXUlSmkM.exe, CbDTi.dll, cbgHTEYj.exe, chNSUtN.exe, CIvEF.dll, ckWVO.dll, cmbtnBb.dll, CnbvdFe.dll, CNgWSRB.exe, coIfhHPqR.dll, CrFfNcSdt.exe, cThUXJOV.dll, Cuvbeb.exe, DCNGSrb.dll, dhBAvLsBW.dll, dMOgf.dll, DNSjlFRn.dll, doHlNaSe.dll, dQCvkuV.exe, dsvtcVXc.dll, DTQHG.dll, EiOeM.dll, EJQUXAhBL.exe, eoHDGMV.dll, EoqAibh.dll, EsbPexXyG.exe, fCjAw.exe, FDEaqvrEt.dll, fdoHD.exe, ffdEq.dll, FJGXkwxoG.dll, fkCPSy.exe, fsTkkqD.exe, gCQgE.exe, GfTVcnlJ.exe, GGuuKlShh.exe, ggxCasODW.dll, gIvFQL.dll, GMlIjJ.dll, GqOOd.dll, GSVaS.dll, gUrJmp.dll, gXmfF.exe, GycNUj.dll, hALpPKJ.exe, HeqJNRGr.exe, hfDArFjX.dll, HHuarT.dll, HMtPXAniS.dll, hmtUeIJXL.exe, hOJbRbdat.exe, hpQAtlv.exe, hrEpSH.exe, HsLMOHTkh.exe, Hsmdw.exe, ibPwYwRNw.dll, IBuNlp.dll, icHWPAfXQ.exe, ifNpGyvk.exe, iIpWGM.exe, iKoLM.dll, illtmQP.exe, IsOvYbmL.exe, iYHDRH.dll, IYpTQnq.exe, JayutaGif.dll, JBSyLVV.exe, jeKhQkfuR.dll, jFlcUbsL.dll, jHKoJy.dll, jHPtJm.dll, JLsPswNa.dll, JMcly.dll, JoGyIgxog.exe, JpEkwBMw.dll, JTlPJbmGJ.dll, jtrDGeyCP.dll, jTYQN.dll, JVeGQMN.exe, JyIGecY.dll, JYlWQxpj.exe, jyopY.dll, KBPicSRw.dll, KibBCTdE.dll, kIDCblr.dll, KjokykXBV.exe, kjwIoj.exe, kOWsOSiv.exe, kPeJVjfQ.exe, krSbSX.exe, KsARfcADm.dll, kTxXWeMf.dll, KVNiDGy.exe, kvVkQ.exe, kyAXcqKTF.exe, LdsETEgfb.dll, LfPrRa.exe, LjTCi.dll, LKeuq.dll, LLmhM.dll, LLtDDXn.dll, lnbgkij.exe, LRoRNIMV.exe, MbkbmqOXp.dll, mDyTUlNYy.exe, MiGUqqywP.exe, mioYTJFha.dll, mKeWgXg.exe, MKsxvOo.dll, mqWrGGFn.exe, mUibhYO.dll, MYXaLJF.exe, NcDlJNWub.dll, NIhidXBGU.dll, NjVXaid.dll, nLPqB.dll, NMFGxXk.exe, NmSxLP.exe, NmTxBAJfR.exe, NUilI.exe, nyFFuaf.exe, OfUnknnvx.exe, OhCPa.exe, okdipND.exe, oLjYsGxqd.dll, OXLJfk.exe, PQAkvF.exe, prOWIRJ.dll, PTCnbbCEO.exe, pxabO.dll, QalAJBrTL.exe, QdOal.dll, qDRjBfcy.dll, qFrtL.dll, QGjuDf.exe, QnhQJ.dll, QRMyQJ.dll, QvrPMy.dll, RclRxyxfv.dll, RdviJRH.dll, RgkNQPp.exe, rJfRTrXC.dll, rlEyOBO.dll, ROqGadwe.exe, RsJpnAAQx.dll, RUStuuKp.dll, RwCAlcegD.dll, rwUoJlbG.exe, RXBCtDfF.dll, SCKKV.dll, SdyqsReyD.dll, SEfpPJ.dll, sFqOdas.exe, SHcPbj.dll, shNhWL.dll, SIMnls.dll, SnvXLcD.exe, SoaXUwnF.exe, SPMRCRYY.exe, sQQjqEqoP.exe, sTefHT.dll, swiWIs.dll, SWOSlR.dll, tGsmbmA.dll, tiGNRS.dll, tihFLXTw.exe, tikYwoXbX.exe, tJPEvul.dll, TKjkfyg.dll, TNageYk.dll, TOXIaj.dll, TVMmwTRi.exe, TwOVe.dll, tyKdGUnG.exe, uijnjW.exe, UKRceHpYR.dll, uQqYHkv.dll, UrNycc.dll, uTWnwpnl.exe, uwNhgfNgW.dll, VBrpheQHl.exe, vIXOH.exe, VjYyJ.dll, vqgafQ.exe, vrQIBO.dll, vsNIT.exe, VxoWqBTk.exe, vybMN.exe, VYnPBUoc.dll, WAhFt.exe, wAXGQYGXH.dll, wDBdocRj.dll, WgnvDiRbT.dll, wIqyCOM.exe, wKpgWTw.exe, wlGlYOd.dll, wlnPpfhK.dll, wPnqGPG.dll, WQsOSQarN.dll, WRaDp.exe, WreLeH.dll, WWBbulRe.exe, XcjXdLh.exe, XFImnkJGF.exe, XGpNyeFgV.exe, XKIEmFs.exe, xLoLpyL.exe, XLxrEaH.exe, xpgTxyKYF.exe, XpoXMwj.exe, xTiMuDDw.exe, xwrOd.dll, xWybDVX.dll, xxwlqARQS.exe, Xynuy.exe, YeBma.exe, yKdGhFLC.exe, yrbAm.exe, yuDKyrD.dll, YUhfr.dll
D. Hasil Infeksi

FakeAV-Downloader.G ini mecoba melakukan koneksi ke beberapa website yang beberapa sudah tidak aktif.
Selain koneksi, malware ini juga memiliki kemampuan seperti worm yang memperbanyak companionnya seperti yang sudah di jelaskan di atas. Agar pertahanan dan penyamarannya lebih terlihat sempurna, beberapa fungsi Windows di-disable seperti Task Manager, agar seakan mencirikan bahwa komputer yang sudah terinfeksi memang benar-benar terinfeksi malware lain. FakeAV-Downloader.G juga membuat beberapa pesan seperti: