Trojan.Win32.MicroFake.p

Technical Details
Payload
Removal instructions

Technical Details

A trojan program that carries out destructive actions on the user's computer. It is a Windows application (PE-EXE file). 8704 bytes. Written in C++.

Payload

After launching, the trojan uses the system utility "sc.exe" to carry out the following command sequence:

sc.exe config wuauserv start= auto
sc.exe config BITS start= demand
sc.exe stop wuauserv
sc.exe config BITS start= disabled
sc.exe config wuauserv start= disabled

This stops and cancels the automatic launch of the "wuauserv" service (Windows Automatic Update service), and also cancels the automatic launch of the "BITS" service (Background Intelligent Transfer Service). The trojan then opens the following resource in the Internet Explorer browser:

http://windo***pdate.microsoft.com

The trojan then shuts down.

Removal instructions

If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

1. Delete the original trojan file (its location on the infected computer will depend on how the program got onto the computer).
2. Using the MMC (Microsoft Management Console) ("Services and applications\Services" tab), restore the startup parameters for the "wuauserv" and "BITS" services.
3. Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).

MD5: 2F0A719F90F423DBC2080803957CEB34
SHA1: 833A0DCC4770C9E982546F772351D316FE4A09BF

Summary

• Trojan. Performs actions that are typical of malicious programs

• Implements network activity

Technical details

File size of 8704 bytes.

Installation

Creates the following files on an infected computer:

• Windows directory (usually, C:\Windows)%Windir%\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab
• Windows directory (usually, C:\Windows)%Windir%\SoftwareDistribution\WebSetup\wuident.cab
• Windows directory (usually, C:\Windows)%Windir%\SoftwareDistribution\WebSetup\wsus3setup.cab

Malicious activity

Modifies (deletes) Windows system files:

• Windows directory (usually, C:\Windows)%Windir%\WindowsUpdate.log
• Windows directory (usually, C:\Windows)%Windir%\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\wuredir.cab

Connects to to the following Internet addresses:

• ***.0.0.1:8212

Creates unique identifiers to flag its presence in the system

• Global\WindowsUpdateTracingMutex

Uses the masks shown below to search for files on the victim machine:

• NPOJI*.dll
• NPJava*.dll
• NPJPI*.dll

Other activities

Runs the following files (commands):

• \"sc.exe\" config wuauserv start= auto
• \"sc.exe\" config BITS start= demand
• \" Standard directory for programs installed on Windows OS (usually, C:\Program Files)%Program Files%\Internet Explorer\iexplore.exe \" http://windowsupdate.microsoft.com

Modifies the system registry keys:

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{E19F9331-3110-11D4-991C-005004D3B3DB} ] "(default)" = "Java Plug-in 1.3.0_02"

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{E19F9331-3110-11D4-991C-005004D3B3DB}\InprocServer32 ] "(default)" = " Standard directory for programs installed on Windows OS (usually, C:\Program Files)%Program Files%\Java\jre6\bin\jp2iexp.dll"

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{E19F9331-3110-11D4-991C-005004D3B3DB}\InprocServer32 ] "ThreadingModel" = "Apartment"

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA} ] "(default)" = "Java Plug-in 1.3.0_03"

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}\InprocServer32 ] "(default)" = " Standard directory for programs installed on Windows OS (usually, C:\Program Files)%Program Files%\Java\jre6\bin\jp2iexp.dll"

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}\InprocServer32 ] "ThreadingModel" = "Apartment"

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA} ] "(default)" = "Java Plug-in 1.3.0_04"

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}\InprocServer32 ] "(default)" = " Standard directory for programs installed on Windows OS (usually, C:\Program Files)%Program Files%\Java\jre6\bin\jp2iexp.dll"

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}\InprocServer32 ] "ThreadingModel" = "Apartment"

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA} ] "(default)" = "Java Plug-in 1.3.0_05"

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}\InprocServer32 ] "(default)" = " Standard directory for programs installed on Windows OS (usually, C:\Program Files)%Program Files%\Java\jre6\bin\jp2iexp.dll"

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}\InprocServer32 ] "ThreadingModel" = "Apartment"

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} ] "(default)" = "Java Plug-in 1.3.1"

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}\InprocServer32 ] "(default)" = " Standard directory for programs installed on Windows OS (usually, C:\Program Files)%Program Files%\Java\jre6\bin\jp2iexp.dll"

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}\InprocServer32 ] "ThreadingModel" = "Apartment"

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA} ] "(default)" = "Java Plug-in 1.3.1_01"

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}\InprocServer32 ] "(default)" = " Standard directory for programs installed on Windows OS (usually, C:\Program Files)%Program Files%\Java\jre6\bin\jp2iexp.dll"

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}\InprocServer32 ] "ThreadingModel" = "Apartment"

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB} ] "(default)" = "Java Plug-in 1.3.1_01"

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}\InprocServer32 ] "(default)" = " Standard directory for programs installed on Windows OS (usually, C:\Program Files)%Program Files%\Java\jre6\bin\jp2iexp.dll"

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}\InprocServer32 ] "ThreadingModel" = "Apartment"

Deletes the following system registry keys:

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{E19F9331-3110-11D4-991C-005004D3B3DB} ]

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{E19F9331-3110-11D4-991C-005004D3B3DB}\InprocServer32 ]

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA} ]

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}\InprocServer32 ]

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA} ]

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}\InprocServer32 ]

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA} ]

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}\InprocServer32 ]

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} ]

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}\InprocServer32 ]

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA} ]

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}\InprocServer32 ]

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB} ]

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}\InprocServer32 ]

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} ]

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}\InprocServer32 ]

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB} ]

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}\InprocServer32 ]

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA} ]

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}\InprocServer32 ]

[ System registry hive HKEY_CURRENT_USERHKCU\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB} ]