Effects
FakeDeath.A downloads several variants of Trojans belonging to the Banker family to the affected computer and distribute them through the shared directories belonging to chat programs such as mIRC, My Shared Folder and P2P programs such as eDonkey and KaZaA.
In order to do so, it follows the routine below:
- It uses attractive names to name the copies of the banker Trojans. Some of them are the following:
ADAWARE2008FULL.RAR.SCR
AHEAD_NERO_9_NEW!_FULL+CRACK.ZIP.SCR
ANTISPYWARE.RAR.SCR
ANTIVIRUS.RAR.SCR
CRACKJUEGOS.RAR.SCR
HACKEARSMS.RAR.SCR
ICQ_2008_NEW!_FULL+CRACK.ZIP.SCR
KEYGENNORTON.RAR.SCR
MAILER.RAR.SCR
MANDARSMSMEXICO.SCR
MEXICOCRACK.EXE
MODELOSSEXYS.AVI.SCR
ONLINESEX.EXE
PANDA2008.RAR.SCR
REGARGADECELULAR.EXE
SEXOGRATIS.EXE
SMSGRATIS.EXE
SUBSEVEN2008.RAR.SCR
VIDEOSXXX.AVI.SCR
VISTACRACK.RAR.SCR
WEBCAM.RAR.SCR
WEBCAMSGRATIS.EXE
WINAMPFULL.RAR.SCR - Other users of these programs can remotely access these shared directories. This way, they voluntarily download some of the files belonging to the banker Trojans, thinking that they are useful computer programs, pirated software...
- When the downloaded file is run, such computers will be affected by several variants of banker Trojans.
- The variants belonging to the Banker family are designed to obtain confidential information, such as passwords, from the affected computer.
Additionally, it carries out several modifications in the Windows Registry of the affected computer, which have the following consequences:
- It disables the Task Manager, which would prevent the user from viewing the processes that are being run.
- It disables the option from the Start menu called Turn off and Log off. As a result, the user cannot turn off or log off the computer through the Start menu.
- It prevents the user from changing the arrangement of items in the Start menu.
Infection strategy
FakeDeath.A creates the following files in the Windows directory, which belong to several variants of Trojans of the Banker family:
- 1-N.EXE
- SERVICES.EXE
- a file with a random name.
FakeDeath.A creates the following entries in the Windows Registry:
- HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System
DisableTaskMgr = 01, 00, 00, 00
It disables the Task Manager. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoClose = 1
It hides the option Turn off from the Start menu and does not allow the shutdown command to be run through the command shell. (CMD.EXE) - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoLogOff = 1
It does not display the option Log off in the Start menu. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoChangeStartMenu = 1
It does not allow to drag and drop items in the Start menu.
FakeDeath.A modifies the following entries from the Windows Registry:
- HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ WindowsNT\ CurrentVersion\ Winlogon
Shell = Explorer.exe
It changes this entry to:
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ WindowsNT\ CurrentVersion\ Winlogon
Shell = Explorer.exe %windir%\services.exe
where %windir% is the Windows directory.
By modifying this entry, the file belonging to a variant of Banker ensures that it is run whenever Windows is started. - HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ SharedAccess
Start = 03, 00, 00, 00
It changes this entry to:
HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ SharedAccess
Start = 04, 00, 00, 00 - HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ SharedAccess
Start = 03, 00, 00, 00
It changes this entry to:
HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ SharedAccess
Start = 04, 00, 00, 00
By modifying these two entries, FakeDeath.A opens the shared resources of the affected computer. - HKEY_CURRENT_USER\ SessionInformation
ProgramCount = 05, 00, 00, 00
It changes this entry to:
HKEY_CURRENT_USER\ SessionInformation
ProgramCount = 6, 00, 00, 00 - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Internet Settings\ Connections
DefaultConnectionSettings = 3C, 00, 00, 00, 33, 00, 00, 00, 09, 00, 00, 00, 0B, 00, 00, 00, 62, 69, 6F, 70, 72, 6F, 78, 79, 3A, 38, 30, 07, 00, 00, 00, 3C, 6C, 6F, 63, 61, 6C, 3E, 00, 00, 00, 00, 05, 00, 00, 00, 00, 00, 00, 00, F0, 23, 0C, DF, 0A, 81, C8, 01, 01, 00, 00, 00, C0, A8, 05, 80, 00, 00, 00, 00, 00, 00, 00, 00
It changes this entry to:
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Internet Settings\ Connections
DefaultConnectionSettings = 3C, 00, 00, 00, 36, 00, 00, 00, 09, 00, 00, 00, 0B, 00, 00, 00, 62, 69, 6F, 70, 72, 6F, 78, 79, 3A, 38, 30, 07, 00, 00, 00, 3C, 6C, 6F, 63, 61, 6C, 3E, 00, 00, 00, 00, 05, 00, 00, 00, 00, 00, 00, 00, 80, BF, A5, 94, 89, 82, C8, 01, 01, 00, 00, 00, C0, A8, 8B, 80, 00, 00, 00, 00, 00, 00, 00, 00 - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Internet Settings\ Connections
SavedLegacySettings = 3C, 00, 00, 00, 52, 00, 00, 00, 09, 00, 00, 00, 0B, 00, 00, 00, 62, 69, 6F, 70, 72, 6F, 78, 79, 3A, 38, 30, 07, 00, 00, 00, 3C, 6C, 6F, 63, 61, 6C, 3E, 00, 00, 00, 00, 05, 00, 00, 00, 00, 00, 00, 00, 90, F3, 50, DF, 35, 7E, C8, 01, 01, 00, 00, 00, C0, A8, 00, 82, 00, 00, 00, 00, 00, 00, 00, 00
It changes this entry to:
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Internet Settings\ Connections
SavedLegacySettings = 3C, 00, 00, 00, 56, 00, 00, 00, 09, 00, 00, 00, 0B, 00, 00, 00, 62, 69, 6F, 70, 72, 6F, 78, 79, 3A, 38, 30, 07, 00, 00, 00, 3C, 6C, 6F, 63, 61, 6C, 3E, 00, 00, 00, 00, 05, 00, 00, 00, 00, 00, 00, 00, 80, BF, A5, 94, 89, 82, C8, 01, 01, 00, 00, 00, C0, A8, 8B, 80, 00, 00, 00, 00, 00, 00, 00, 00
Means of transmission
FakeDeath.A reaches the computer in a file with the icon of a picture:
If this file is run, the user will be redirected to a website displaying some news published in 1997 related to the fake death of Fidel Castro:
Additionally, it spreads through the shared and mapped drives, making copies of itself in them.
Further Details
FakeDeath.A is written in the programming language Delphi v.5. This worm is 30,208 bytes in size.