Home / All Blog News>Virus Alert: Trojan.Favadd

Virus Alert: Trojan.Favadd

Posted by        0 Comments
Virus Alert: Trojan.Favadd

Trojan.Favadd is a Trojan that modifies the homepage configuration of the Internet Explorer system to connect to malicious Web sites.

OS infection

Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Describe
When executed, Trojan.Favadd will perform the following tasks:

1. Log into the system directory as crcspider.ico

% Windir% crcspider.ico

2. Additional values:

& quot; ButtonText & quot; = & quot; Search cracks at CrackSpider.NET & quot;
& quot; MenuText & quot; = & quot; Search cracks at CrackSpider.NET & quot;
& quot; MenuStatusBar & quot; = & quot; Search cracks at CrackSpider.NET & quot;
& quot; ClSid & quot; = & quot; (1FBA04EE-3024-11d2-8F1F-0000F87ABD16) & quot;
& quot; Default Visible & quot; = & quot; Yes & quot;
& quot; Exec & quot; = & quot; [URL on the domain crackspider.net] & quot;
& quot; HotIcon & quot; = & quot;% Windir% crcspider.ico & quot;
& quot; Icon & quot; = & quot;% Windir% crcspider.ico & quot;

in the following registry key:

HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerExtensions (10954C80-4F0F-11d3-B17C-00C0DFE39736)

3. Value added:

& quot; {10954C80-4F0F-11d3-B17C-00C0DFE39736} & quot; = & quot; 8193 & quot;

to the registry key:

HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerExtensionsCmdMapping

4. Add value:

& quot; SearchAssistant & quot; = & quot; [URL on the domain crackspider.net] & quot;

on the following registry key to modify the Internet Explorer home page:

HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerSearch

5. Add value:

& quot; Search Bar & quot; = & quot; [URL on the domain crackspider.net] & quot;

in the following registry key:

HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain

6. Create a folder named & quot; cracks & quot; in IE's Favorites folder. This folder contains the following links and annotations:

1 AzSoft_watermark_small.png cong-nghe? P = 1 en_metadesc.txt en_name.txt getpageinfo.sh getpagelink.sh imglink.txt imglist.txt img.quantrimang.com label: Some Text link_original.txt link.txt log.txt meta_desc.txt name.txt news t-142619 testimg2-0.jpg testimg2-1.jpg testimg2.jpg testimg3.jpg testimg.jpg thumb tim-hieu-excel-2016-200.jpg title_vn.txt tmp02.html tmp03.html tmp2.html tmpdesc2.txt tmpdesc3.txt tmpdesc4.txt tmpdesc5.txt tmpdesc6.txt tmpdesc7.txt tmpdesc.txt tmp.html tmpresult.txt tmptrans.txt transresult.txt wm.quantrimang.com www.mailenable.com www.microsoft.com. com www.securityfocus.com! TheBUGS.ws - Security Related Portal
[URL on the domain thebugs.ws]

1 AzSoft_watermark_small.png cong-nghe? P = 1 en_metadesc.txt en_name.txt getpageinfo.sh getpagelink.sh imglink.txt imglist.txt img.quantrimang.com label: Some Text link_original.txt link.txt log.txt meta_desc.txt name.txt news t-142619 testimg2-0.jpg testimg2-1.jpg testimg2.jpg testimg3.jpg testimg.jpg thumb tim-hieu-excel-2016-200.jpg title_vn.txt tmp02.html tmp03.html tmp2.html tmpdesc2.txt tmpdesc3.txt tmpdesc4.txt tmpdesc5.txt tmpdesc6.txt tmpdesc7.txt tmpdesc.txt tmp.html tmpresult.txt tmptrans.txt transresult.txt wm.quantrimang.com www.mailenable.com www.microsoft.com. com www.securityfocus.com !! CrackSpider.NET - Cracks search engine
[URL on domain crackspider.net]

1 AzSoft_watermark_small.png cong-nghe? P = 1 en_metadesc.txt en_name.txt getpageinfo.sh getpagelink.sh imglink.txt imglist.txt img.quantrimang.com label: Some Text link_original.txt link.txt log.txt meta_desc.txt name.txt news t-142619 testimg2-0.jpg testimg2-1.jpg testimg2.jpg testimg3.jpg testimg.jpg thumb tim-hieu-excel-2016-200.jpg title_vn.txt tmp02.html tmp03.html tmp2.html tmpdesc2.txt tmpdesc3.txt tmpdesc4.txt tmpdesc5.txt tmpdesc6.txt tmpdesc7.txt tmpdesc.txt tmp.html tmpresult.txt tmptrans.txt transresult.txt wm.quantrimang.com www.mailenable.com www.microsoft.com. com www.securityfocus.com allseek.info - The Underground portal
[URL on domain allseek.info]

1 AzSoft_watermark_small.png cong-nghe? P = 1 en_metadesc.txt en_name.txt getpageinfo.sh getpagelink.sh imglink.txt imglist.txt img.quantrimang.com label: Some Text link_original.txt link.txt log.txt meta_desc.txt name.txt news t-142619 testimg2-0.jpg testimg2-1.jpg testimg2.jpg testimg3.jpg testimg.jpg thumb tim-hieu-excel-2016-200.jpg title_vn.txt tmp02.html tmp03.html tmp2.html tmpdesc2.txt tmpdesc3.txt tmpdesc4.txt tmpdesc5.txt tmpdesc6.txt tmpdesc7.txt tmpdesc.txt tmp.html tmpresult.txt tmptrans.txt transresult.txt wm.quantrimang.com www.mailenable.com www.microsoft.com. com www.securityfocus.com anyCracks.com - Keygens, patches, crack
[URL on the domain anycracks.com]

1 AzSoft_watermark_small.png cong-nghe? P = 1 en_metadesc.txt en_name.txt getpageinfo.sh getpagelink.sh imglink.txt imglist.txt img.quantrimang.com label: Some Text link_original.txt link.txt log.txt meta_desc.txt name.txt news t-142619 testimg2-0.jpg testimg2-1.jpg testimg2.jpg testimg3.jpg testimg.jpg thumb tim-hieu-excel-2016-200.jpg title_vn.txt tmp02.html tmp03.html tmp2.html tmpdesc2.txt tmpdesc3.txt tmpdesc4.txt tmpdesc5.txt tmpdesc6.txt tmpdesc7.txt tmpdesc.txt tmp.html tmpresult.txt tmptrans.txt transresult.txt wm.quantrimang.com www.mailenable.com www.microsoft.com. com www.securityfocus.com Astalavista - Cracks search engine
[URL on the domain astalavista.thebugs.ws]

1 AzSoft_watermark_small.png cong-nghe? P = 1 en_metadesc.txt en_name.txt getpageinfo.sh getpagelink.sh imglink.txt imglist.txt img.quantrimang.com label: Some Text link_original.txt link.txt log.txt meta_desc.txt name.txt news t-142619 testimg2-0.jpg testimg2-1.jpg testimg2.jpg testimg3.jpg testimg.jpg thumb tim-hieu-excel-2016-200.jpg title_vn.txt tmp02.html tmp03.html tmp2.html tmpdesc2.txt tmpdesc3.txt tmpdesc4.txt tmpdesc5.txt tmpdesc6.txt tmpdesc7.txt tmpdesc.txt tmp.html tmpresult.txt tmptrans.txt transresult.txt wm.quantrimang.com www.mailenable.com www.microsoft.com. com www.securityfocus.com bestserials.com - Best serials
[URL on domain bestserials.com]

1 AzSoft_watermark_small.png cong-nghe? P = 1 en_metadesc.txt en_name.txt getpageinfo.sh getpagelink.sh imglink.txt imglist.txt img.quantrimang.com label: Some Text link_original.txt link.txt log.txt meta_desc.txt name.txt news t-142619 testimg2-0.jpg testimg2-1.jpg testimg2.jpg testimg3.jpg testimg.jpg thumb tim-hieu-excel-2016-200.jpg title_vn.txt tmp02.html tmp03.html tmp2.html tmpdesc2.txt tmpdesc3.txt tmpdesc4.txt tmpdesc5.txt tmpdesc6.txt tmpdesc7.txt tmpdesc.txt tmp.html tmpresult.txt tmptrans.txt transresult.txt wm.quantrimang.com www.mailenable.com www.microsoft.com. com www.securityfocus.com CrackPortal.com - Cracks, serial number
[URL on the domain crackportal.com]

1 AzSoft_watermark_small.png cong-nghe? P = 1 en_metadesc.txt en_name.txt getpageinfo.sh getpagelink.sh imglink.txt imglist.txt img.quantrimang.com label: Some Text link_original.txt link.txt log.txt meta_desc.txt name.txt news t-142619 testimg2-0.jpg testimg2-1.jpg testimg2.jpg testimg3.jpg testimg.jpg thumb tim-hieu-excel-2016-200.jpg title_vn.txt tmp02.html tmp03.html tmp2.html tmpdesc2.txt tmpdesc3.txt tmpdesc4.txt tmpdesc5.txt tmpdesc6.txt tmpdesc7.txt tmpdesc.txt tmp.html tmpresult.txt tmptrans.txt transresult.txt wm.quantrimang.com www.mailenable.com www.microsoft.com. com www.securityfocus.com CrackSpider.DE - Cracks search engine
[URL on domain crackspider.de]

1 AzSoft_watermark_small.png cong-nghe? P = 1 en_metadesc.txt en_name.txt getpageinfo.sh getpagelink.sh imglink.txt imglist.txt img.quantrimang.com label: Some Text link_original.txt link.txt log.txt meta_desc.txt name.txt news t-142619 testimg2-0.jpg testimg2-1.jpg testimg2.jpg testimg3.jpg testimg.jpg thumb tim-hieu-excel-2016-200.jpg title_vn.txt tmp02.html tmp03.html tmp2.html tmpdesc2.txt tmpdesc3.txt tmpdesc4.txt tmpdesc5.txt tmpdesc6.txt tmpdesc7.txt tmpdesc.txt tmp.html tmpresult.txt tmptrans.txt transresult.txt wm.quantrimang.com www.mailenable.com www.microsoft.com. com www.securityfocus.com CrackSpider.US - Cracks search engine
[URL on domain crackspider.us]

1 AzSoft_watermark_small.png cong-nghe? P = 1 en_metadesc.txt en_name.txt getpageinfo.sh getpagelink.sh imglink.txt imglist.txt img.quantrimang.com label: Some Text link_original.txt link.txt log.txt meta_desc.txt name.txt news t-142619 testimg2-0.jpg testimg2-1.jpg testimg2.jpg testimg3.jpg testimg.jpg thumb tim-hieu-excel-2016-200.jpg title_vn.txt tmp02.html tmp03.html tmp2.html tmpdesc2.txt tmpdesc3.txt tmpdesc4.txt tmpdesc5.txt tmpdesc6.txt tmpdesc7.txt tmpdesc.txt tmp.html tmpresult.txt tmptrans.txt transresult.txt wm.quantrimang.com www.mailenable.com www.microsoft.com. com www.securityfocus.com CrackWay.com - Since 2001 cracks arhive
[URL on the domain crackway.com]

1 AzSoft_watermark_small.png cong-nghe? P = 1 en_metadesc.txt en_name.txt getpageinfo.sh getpagelink.sh imglink.txt imglist.txt img.quantrimang.com label: Some Text link_original.txt link.txt log.txt meta_desc.txt name.txt news t-142619 testimg2-0.jpg testimg2-1.jpg testimg2.jpg testimg3.jpg testimg.jpg thumb tim-hieu-excel-2016-200.jpg title_vn.txt tmp02.html tmp03.html tmp2.html tmpdesc2.txt tmpdesc3.txt tmpdesc4.txt tmpdesc5.txt tmpdesc6.txt tmpdesc7.txt tmpdesc.txt tmp.html tmpresult.txt tmptrans.txt transresult.txt wm.quantrimang.com www.mailenable.com www.microsoft.com. com www.securityfocus.com iCracks.net - Keygens, patches, crackz.
[URL on domain icracks.net]

1 AzSoft_watermark_small.png cong-nghe? P = 1 en_metadesc.txt en_name.txt getpageinfo.sh getpagelink.sh imglink.txt imglist.txt img.quantrimang.com label: Some Text link_original.txt link.txt log.txt meta_desc.txt name.txt news t-142619 testimg2-0.jpg testimg2-1.jpg testimg2.jpg testimg3.jpg testimg.jpg thumb tim-hieu-excel-2016-200.jpg title_vn.txt tmp02.html tmp03.html tmp2.html tmpdesc2.txt tmpdesc3.txt tmpdesc4.txt tmpdesc5.txt tmpdesc6.txt tmpdesc7.txt tmpdesc.txt tmp.html tmpresult.txt tmptrans.txt transresult.txt wm.quantrimang.com www.mailenable.com www.microsoft.com. com www.securityfocus.com KeyGen.US - Keygens, patches, crack ...
[URL ở một miền keygen.us]

1 AzSoft_watermark_small.png cong-nghe? P = 1 en_metadesc.txt en_name.txt getpageinfo.sh getpagelink.sh imglink.txt imglist.txt img.quantrimang.com label: Some Text link_original.txt link.txt log.txt meta_desc.txt name.txt news t-142619 testimg2-0.jpg testimg2-1.jpg testimg2.jpg testimg3.jpg testimg.jpg thumb tim-hieu-excel-2016-200.jpg title_vn.txt tmp02.html tmp03.html tmp2.html tmpdesc2.txt tmpdesc3.txt tmpdesc4.txt tmpdesc5.txt tmpdesc6.txt tmpdesc7.txt tmpdesc.txt tmp.html tmpresult.txt tmptrans.txt transresult.txt wm.quantrimang.com www.mailenable.com www.microsoft.com. com www.securityfocus.com mscrack.com - Cracks, serial numbers ...
[URL on domain mscracks.com]

Added a link button on IE's toolbar. This bar links to the domain: crackspider.net.

Recommendation

  • Turn off and remove unnecessary services on the system. By default, many operating systems install unneeded services, such as FTP servers, telnet, and Web servers. These services have long exposed many weaknesses to hackers take advantage of attacks on the computer.

  • Keep up to date with the latest patches, especially for computers that contain multiple public services and are accessible through firewalls, such as HTTP, FTP, mail, and DNS.

  • Tighten the password policy. Using complex passwords will make it difficult for programs to crack passwords on your computer. Doing this will also reduce the damage caused by the computer being compromised.

  • Configure e-mail servers to block or remove e-mail attachments that are often exploited by viruses to spread: .vbs, .bat, .exe, .pif, and .scr.

  • Isolate the infected computer to prevent the spread of the virus in your organization. Carry out system audit and data backup.

  • Notify employees not to open attachments by e-mail unless they are of a safe and verifiable origin. Also, do not execute software downloaded from the Internet unless it has been tested by antivirus software. Browsers are no longer safe and sometimes just a normal web-browsing operation will also cause your computer to become infected.

    Prevention

    The following are preliminary steps to clean the system startup virus

  • Disable System Restore (Windows Me / XP).

  • Upgrade antivirus software.

  • Run full system scan (Full Scan) and delete all detected files Trojan.Favadd

  • Deletes the values ​​added by the virus to the registry.

  • Re-establishes the home page of Internet Explorer.

  • Resetting the IE search page.

  • Eliminated link buttons are added to the IE toolbar.