 |
W32/Fraudload.LP Trojan
| Name |
W32/Fraudload.LP Trojan |
| Aliases |
TR/Dldr.FraudLoad.FB, SHeur.BELL, Adware.FraudTool.A, TrojanDownloader.FraudLoad.fb, Downloader.FraudLoad.lp, Trojan-Downloader.Win32.FraudLoad.lp, Troj/Dorf-BB, Trojan.Packed.13, Trojan-Downloader.Win32.FraudLoad.fb, Trojan.Renos.Gen!Pac.10 and Trojan.Dldr.FraudLoad.FB |
| Discovered on |
April 21, 2008 |
 Virus Information - W32/Fraudload.LP Trojan:
W32/Fraudload.LP is a trojan. The trojan will infect Windows systems.
The trojan is downloaded by an unsuspected user from the following link;
www.win[blocked].com
Upon execution, the trojan installs itself as a genuine program, it creates a folder by name WinReanimator in Program files folder and drops the following files in the same process.
unzip32.dll
WinReanimator.exe
htmlayout.dll
WinReanimator.dll
pthreadVC2.dll
un.ico
install.exe
WinReanimator.cfg
Microsoft.VC80.CRT\msvcr80.dll
Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
Microsoft.VC80.CRT\msvcm80.dll
Microsoft.VC80.CRT\msvcp80.dll
data\daily.cvd
It also drops braviax.exe, [random characters].dat and winivstr.exe in Windows System folder.
The trojan modifies the registry at the following location to load itself during each startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_USERS\(SID value)-1003\Software\Microsoft\Windows\CurrentVersion\Run
The Trojan displays false system security threats, in order to entice the user to pay for the licensed version of the program.
|
