English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan.Win32.MicroFake.p

Detected Feb 03 2010 10:29 GMT
Released Feb 03 2010 21:13 GMT
Published Sep 20 2011 14:21 GMT

Manual description Auto description
This description was created by experts at Kaspersky Lab. It contains the most accurate information available about this program.

Technical Details
Payload
Removal instructions

Technical Details

A trojan program that carries out destructive actions on the user's computer. It is a Windows application (PE-EXE file). 8704 bytes. Written in C++.


Payload

After launching, the trojan uses the system utility "sc.exe" to carry out the following command sequence:

sc.exe config wuauserv start= auto
sc.exe config BITS start= demand
sc.exe stop wuauserv
sc.exe config BITS start= disabled
sc.exe config wuauserv start= disabled
This stops and cancels the automatic launch of the "wuauserv" service (Windows Automatic Update service), and also cancels the automatic launch of the "BITS" service (Background Intelligent Transfer Service). The trojan then opens the following resource in the Internet Explorer browser:
http://windo***pdate.microsoft.com
The trojan then shuts down.


Removal instructions

If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

  1. Delete the original trojan file (its location on the infected computer will depend on how the program got onto the computer).
  2. Using the MMC (Microsoft Management Console) ("Services and applications\Services" tab), restore the startup parameters for the "wuauserv" and "BITS" services.
  3. Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).


MD5: 2F0A719F90F423DBC2080803957CEB34
SHA1: 833A0DCC4770C9E982546F772351D316FE4A09BF


Bookmark and Share
Share
Trojan

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.


Aliases

Trojan.Win32.MicroFake.p (Kaspersky Lab) is also known as:

  • Mal/Generic-L (Sophos)
  • Trojan.Microfake (ClamAV)
  • SettingsModifier:Win32/Skipwuser.A (MS(OneCare))
  • Trojan.Siggen1.16790 (DrWeb)
  • Trojan.Generic.5390720 (BitDef7)
  • Trojan.Win32.MicroFake (Ikarus)
  • Generic16.AXHQ (AVG)
  • W32/Suspicious_Gen2.AMCQC (Norman)
  • Trojan.Win32.Generic!BT (Sunbelt)