Trojan.DL.FraudLoad.ONN

Alias:	Trojan-Downloader.Win32.FraudLoad.wspk, Win32/TrojanDownloader.FakeAlert.AJT, TrojanDownloader:Win32/Renos, TROJ_FAKEAV.BLV
Length:	13.312 bájt
Date of appearance/update:	2009 September
Category:	Trojan
Virus database:	Virus database v10.112.49

Incidence:

High

More informations:

After running, the malware copies itself to the following locations:

C:\Documents and Settings\{user}\Application Data\seres.exe
C:\Documents and Settings\{user}\Application Data\svcst.exe

Then it creates a registry entry for automatic start-up:

HKEY_CURRENT_USER\Run:
mserv=C:\Documents and Settings\{user}\Application Data\seres.exe
svchost=C:\Documents and Settings\{user}\Application Data\svcst.exe

Then it displays the following message on the tray:

> Your computer is infected!

> Windows has detected spyware infection!

> It is recomended to use special antispyware tools to pervent data loss.Windows will now download and install the most up-to-date a ntispyware for you.

> Click here to protect your computer from spyware!

Finally, it downloads a fake antivirus application from one of the following domains:

utorganedoskaw_com
rtugamertobes_com
lersolamaderg_com
oravabustorabe_com
obuleskinodab_com
nebrasofertu_com
ertanuskayert_com
bulerkosedasko_com
abumasotkamid_com

Viruslab

Trojan.DL.FraudLoad.ONN

Further informations

Details