Trojan.Win32.FraudPack.amqa

From Total Malware Info

Jump to: navigation, search
The description for Trojan.Win32.FraudPack.amqa was created during beta-test of «Malware description on demand» service. Learn more about at: www.dnt-lab.com/en/services.

It is a trojan program that performs destructive actions on a user's computer. It is a Windows application (PE-EXE file). Its size is 59,904 bytes. It is written in C++.

Payload

Once launched, the trojan reads the value of the "DigitalProductId" registry key: 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion]

Then the trojan identifies the path to the Print Processor Directory and then extracts a dynamic library from its body: 

%System%\spool\prtprocs\w32x86\SMWinPrn.dat

This file is 16,896 bytes and it is detected by Kaspersky Antivirus as Win32.Patched.fr. Then the trojan checks the "Spooler" service if it is running. If the service is not active, the trojan starts it. Next, the trojan uses mechanisms of the Print Spooler service to bypass a behavioral protection. The trojan calls AddPrintProcessor() API function to launch the extracted library ("SMWinPrn.dat") in a context of the trusted printing process "spoolsv.exe". After this, the trojan deletes the library. The trojan creates the following registry keys: 

[HKLM\Software\Settings]
CryptoHash = <hex>
ErrorControl = <hex>
CoreSettings = <hex>
HashSeed = <hex>
DriveSettings = <hex>

here hex - a set of values in hexadecimal notation. 

[HKLM\System\CurrentControlSet\Enum\Root\LEGACY_SFC\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "sfc"
[HKLM\System\CurrentControlSet\Enum\Root\LEGACY_SFC\0000]
Service = "sfc"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "(8ECC055D-047F-11D1-A537-0000F8753ED1)"
DeviceDesc = "sfc"
[HKLM\System\CurrentControlSet\Enum\Root\LEGACY_SFC]
NextInstance = 0x00000001
[HKLM\System\CurrentControlSet\Services\sfc\Enum]
0 = "Root\LEGACY_SFC\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKLM\System\CurrentControlSet\Services\sfc]
Type = 0x00000001

Removal Instructions

If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:

  1. Delete the original trojan file (its location on the infected computer will depend on how the program originally penetrated the victim machine).
  2. Stop the printing service "Spooler".
  3. Terminate the process "spoolsv.exe" using the Task Manager.
  4. Delete the file if exists 
    %System%\spool\prtprocs\w32x86\SMWinPrn.dat
  5. Delete the registry key: 
    [HKLM\Software\Settings]
  6. Delete the values in the registry keys: 
    [HKLM\System\CurrentControlSet\Enum\Root\LEGACY_SFC\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "sfc"
[HKLM\System\CurrentControlSet\Enum\Root\LEGACY_SFC\0000]
Service = "sfc"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "(8ECC055D-047F-11D1-A537-0000F8753ED1)"
DeviceDesc = "sfc"
[HKLM\System\CurrentControlSet\Enum\Root\LEGACY_SFC]
NextInstance = 0x00000001
[HKLM\System\CurrentControlSet\Services\sfc\Enum]
0 = "Root\LEGACY_SFC\0,000"
Count = 0x00000001
NextInstance = 0x00000001
[HKLM\System\CurrentControlSet\Services\sfc]
Type = 0x00000001
  7. Perform a full system scan using an antivirus (download a trial version).

Can't find a description for a specific malware?
You can order a description for any computer malware, virus, trojan or worm.
Retrieved from "http://totalmalwareinfo.com/eng/Trojan.Win32.FraudPack.amqa"
Language
© 2010 "Design and Test Lab", LLC. All rights reserved.