McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Create Account | Login  | What is TrustedSource?
 
Home  Threats and Trends  Malware Information
TrustedSource™ Query
Enter IP address, domain name or URL to check reputation/traffic patterns:
Search
 


Malware Information

Malware nameTrojan.PSW.Frethog.AJ.2
TypeTrojan
Affected platformWin32
Media-Typeapplication/executable
MD5 checksum7E0F15F8840B937B91ADC75BF6C2E0D8
Static fileyes
Filesize103,973 Bytes
Alias names
(also known as)
Webwasher ProactiveWin32.Malware.gen!86
SophosTroj/PWS-AVL
McAfeePWS-Gamania.gen.c
CA ETrustWin32/Frethog.BZW
Protection
Webwasher ProactiveDatabase Version: 101
Side effects
  • Downloads a malicious file
  • Drops malicious files
  • Lowers security settings
  • Registry modification

Description:

Files

It copies itself to the following locations:
%drive%\2fiji.com
• %SYSDIR%\ckvo.exe



It deletes the initially executed copy of itself.



The following files are created:

%drive%\autorun.inf This is a non malicious text file with the following content:
%code that runs malware%

– %SYSDIR%\ckvo0.dll



It tries to download a file:

– The location is the following:
• http://ghy67.com/xmfx/**********
At the time of writing this file was not online for further investigation.
Registry

One of the following values is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• "kamsoft"="%SYSDIR%\ckvo.exe"



The following registry keys are changed:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Connections]
New value:
• "DefaultConnectionSettings"=hex:46,00,00,00,04,00,00,00,09,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,80,2F,FD,CD,D2,77,CA,01,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,02,00,00,00,C0,A8,6B,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
New value:
• "Hidden"=dword:0x00000002
• "ShowSuperHidden"=dword:0x00000000

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL]
New value:
• "CheckedValue"=dword:0x00000000

File details

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
McAfee Homepage | Contact | Privacy Policy

Copyright © 2007-2009 McAfee, Inc. All Rights Reserved.

THE DATA IS FURNISHED, "AS IS" WITHOUT ANY WARRANTY OF ANY KIND, AND MCAFEE® HEREBY DISCLAIM ALL WARRANTIES, EXPRESS, IMPLIED OR STATUTORY INCLUDING, WITHOUT LIMITATION, ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTIES AS TO NON-INFRINGEMENT, AND IN NO EVENT SHALL MCAFEE® BE LIABLE FOR COSTS OF PROCURING SUBSTITUTE GOODS. IN NO EVENT WILL MCAFEE® BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES WHETHER OR NOT MCAFEE® HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.