Swatkat's rants

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Sunday, 22 July 2007

Fake Google Toolbar Installer

Posted on 05:24 by Unknown
Just came across a poorly detected trojan, which creates a folder named Google in Program Files folder, and copies a file named Googletoolbar1.dll to that folder. This DLL is registered as a BHO in Internet Explorer. This Googletoolbar1.dll is actually a fake file, and is detected as W32/Horst.gen25 by few AVs. Trojan dropper is named as roin.exe and is detected by some AVs as Trojan-Dropper.Win32.Small.ayo or W32/Horst.gen25.dropper.

Files dropped by roin.exe are:
CTFRMON.EXE
kd678.exe
temp77726.exe
googletoolbar1.dll
exsetup.mcd
bipsetup.mcd
iexplore_32.exe
spoolw.exe
igfxsvc.exe
imfe.exe

Following HijackThis log extract shows trojan's BHO and startup files:
O2 - BHO: Google Toolbar Helper - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\googletoolbar1.dll
O4 - HKLM\..\Run: [crtfmon] C:\WINDOWS\CTFRMON.EXE
O4 - HKCU\..\Run: [spoolw] C:\WINDOWS\system32\spoolw.exe
O4 - HKCU\..\Run: [igfxsvc] C:\WINDOWS\system32\igfxsvc.exe
O4 - Startup: imfe.exe

More information about this trojan can be found here.
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Ax Video Plugin
    Ax Video Plugin is one of the latest fake codec/plugin in the block. The site http://axvideodownload.com/ uses the same old fake "Vide...
  • Javacool EULAlyzer!
    Have you ever read those ultra-long EULA (End User License Agreement) pages while you are installing any software? I think no one will read ...
  • Zlob brings back fake MP3s!
    Last August, I had blogged about Zlob gang using fake MP3 download sites to push their malware (link here ). Afterwards, we started to see m...
  • twitcurl - C++ twitter API library
    twitcurl is an open-source pure C++ library for twitter REST APIs. Currently, it has support for most of the twitter APIs and it will be upd...
  • ThinkPoint rogue antivirus
    ThinkPoint is a new addition to the long list of rogue antivirus programs. ThinkPoint uses fake codec download tricks for its distribution. ...
  • Rootkit detection, removal and prevention!
    Here's a Wiki definition for Rootkit: A Rootkit is a set of software tools frequently used by a third party (usually an intruder) after...
  • Antivirus 360 featured in top PC magazines and antivirus certification labs!
    No, we are not talking about Norton 360 , which is a genuine security software. This is about Antivirus 360 , one of the latest rogue securi...
  • yelpcurl - C++ Yelp API library
    yelpcurl is an open-source, pure C++ wrapper for Yelp's RESTful APIs . The library currently supports all the APIs provided by Yelp. yel...
  • Windows Filtering Platform (WFP) user mode examples
    So far, in Windows 2000/XP/2003 operating systems the packet filtering APIs ( PfXxx APIs) were used to implement TCP/IP packet filtering a...

Categories

  • a.exe
  • Autohotkey
  • C++
  • fake mp3 downloads
  • gop.exe
  • NewMediaCodec
  • OAuth
  • Orkut hating virus
  • Privacy Protector
  • rootkit
  • SysProt AntiRootkit
  • TDSServ rootkit removal
  • twitCurl
  • twitter
  • Udefender
  • Ultimate Cleaner
  • vdo_
  • Zlob
  • Zlob rootkit

Blog Archive

  • ►  2013 (1)
    • ►  June (1)
  • ►  2010 (6)
    • ►  October (2)
    • ►  September (2)
    • ►  July (1)
    • ►  April (1)
  • ►  2009 (12)
    • ►  September (1)
    • ►  May (1)
    • ►  April (1)
    • ►  March (4)
    • ►  January (5)
  • ►  2008 (44)
    • ►  December (6)
    • ►  November (6)
    • ►  October (4)
    • ►  September (15)
    • ►  August (2)
    • ►  June (2)
    • ►  May (1)
    • ►  April (1)
    • ►  March (6)
    • ►  January (1)
  • ▼  2007 (38)
    • ►  December (1)
    • ►  November (2)
    • ►  October (9)
    • ►  September (2)
    • ►  August (8)
    • ▼  July (11)
      • Fake Google Toolbar Installer
      • More variants of Zlob fake codec
      • Click-Codec : One more Zlob fake codec
      • PCPrivacyTool - Yet another rogue software
      • NewMediaCodecInstaller updated again!
      • Host-Codec - One more Zlob fake codec
      • Some new malware - a.exe, gop.exe etc
      • NewMediaCodec and Ultimate Cleaner
      • Mozilla and Orkut-hating virus!
      • NewMediaCodec - Updated!?
      • NewMediaCodec, Privacy Protector and Udefender
    • ►  June (3)
    • ►  March (2)
  • ►  2006 (6)
    • ►  September (1)
    • ►  August (2)
    • ►  May (1)
    • ►  February (2)
  • ►  2005 (30)
    • ►  December (2)
    • ►  November (2)
    • ►  October (4)
    • ►  September (5)
    • ►  August (11)
    • ►  July (6)
Powered by Blogger.

About Me

Unknown
View my complete profile