Thursday, February 17, 2011

Interesting Registry Keys with FakeAV Infection

So there I was (don't you love it when a story starts like that?), arriving at work recently when I was asked to look at a co-workers laptop that was infected with a fake antivirus program. Another co-worker had already done what I would have done, in that he ran MalwareBytes (MBAM) on the machine. However, I was surprised that MBAM hadn't even detected the infection. Neither had the installed real antivirus, Microsoft Security Essentials.

Upon starting the laptop and logging, I was greeted by the fake antivirus, "AntiViraAv".  Of course, it started pretending to scan the hard drive and began presenting the traditional dire warnings of fatal virus infection and so on. I had read about this one on the S!Ri.URZ recently, so I went back and read that post again. It said running MBAM would fix the problem, although in our case it hadn't.  I ran MBAM again, along with Super AntiSpyware, but again nothing was detected.  MBAM is usually my go-to program for stuff like this, so I was surprised that hadn't worked.  I took the machine to my forensics office, removed the hard drive and attached it via usb cable to another machine and ran MBAM and Vipre Antivirus against it, again coming up empty.

I pulled the registry files and took a look at the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key, finding an obviously suspicious entry listed showing "podnkiwd: "C:\DOCUME~1\<USERNAME>\LOCALS~1\Temp\lyxnxvrky\rciprogsika.exe."  Okay, this isn't the interesting part. Lots of different malware programs insert something in the Run key.

But that's not what I wanted to tell you about.

I wound up finding two copies of the malware with identical MD5 hashes, one in the Local Settings\Temp folder called "6.129952833419995E7.exe" and the other in a newly created folder called "lyxnxvrky" inside the Temp folder .This new folder contained the "rciprogsika.exe" file referenced above and it is identical in every way, except its name, to the "6.129952833419995E7.exe." I decided to test the malware further to see what all happened. I submitted it to VirusTotal and found that only 17 of the 43 scanners there detected it. Based on that plus the fact MBAM didn't recognize it, I believe this is a newer variant of the AntiViraAV rogue AV. As of this writing, my submission is still the only one for this particular version at VirusTotal.

So you're probably wondering, what's the big deal. What was interesting to me may not mean much, but I hadn't seen it before. Seasoned malware experts and incident responders may have seen the other registry additions/modifications I'm about to describe, so this may not be anything earth shattering. You have been warned.

I set up a Windows XP virtual machine in VMWare Workstation and placed a copy of the "6.129952833419995E7.exe" file in the Local Settings\Temp folder. I ran RegShot, got my baseline and then executed the malware file. Nothing visible happened, unless you were looking in the Local Settings folder. However, all sorts of things were happening in the Registry.

Three new keys were created in the registry:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
  • HKEY_CURRENT_USER\Software\g043oqxanu
Also, the following four keys had some new values added to them. The last one I already knew about, but the first three were new to me and seemed especially interesting. I had never seen them before and still have only a partial idea of their purpose. I have not researched them yet, but it looks like perhaps this has the net effect of setting a policy for the user lowering Windows guard with .exe files. Again, this is only a semi-educated guess. That's only a guess, but I'll be doing further research in that area soon. If anyone out would know and like to share, I'd love to hear.

  • [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download]
    • RunInvalidSignatures = 0x00000001
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]
    • LowRiskFileTypes = ".exe"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
    • SaveZoneInformation = 0x00000001
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    • rqluxpqp = "%Temp%\lyxnxvrky\rciprogsika.exe"
Finally, the value in this key was changed from "yes" to "no".
  • [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download]
    • CheckExeSignatures ="no"
At this point, the executable had still never done anything visible to the user. I decided to reboot the VM and see if the fake AV finally reared it's ugly head. Again, nothing happened. I hadn't had an active network connection for the AV and I wondered if perhaps it would wait for one before showing up.  I activated the network and rebooted. This time I was greeted by this:

My intent now is to learn a bit more about those new registry keys and values.

EDIT:  By the way,  the MD5 for this file is c6a3a4477e17570a5c1da58e34312b4b


  1. Awesome post. I haven't seen that behavior before either.

  2. Ken,

    I blogged about the keys and references to how they are used by the OS...

  3. Thanks, Harlan. I meant to add a post here mentioning you had done that and completely forgot. Thanks for the info!