Categories: Fake

About “Rogue:Win32/FakePAV” infection

The Rogue:Win32/FakePAV is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.

DOWNLOAD NOW

6-day free trial available.

What Rogue:Win32/FakePAV virus can do?

Attempts to connect to a dead IP:Port (1 unique times)
A process attempted to delay the analysis task.
A process created a hidden window
Drops a binary and executes it
Performs some HTTP requests
Unconventionial binary language: Urdu (Pakistan)
The binary likely contains encrypted or compressed data.
The executable is compressed using UPX
Looks up the external IP address
Uses Windows utilities for basic functionality
Attempts to restart the guest VM
Deletes its original binary from disk
Attempts to stop active services
Network activity contains more than one unique useragent.
Installs itself for autorun at Windows startup
Attempts to modify proxy settings
Creates a copy of itself
Attempts to disable UAC
Attempts to modify UAC prompt behavior
Uses suspicious command line tools or Windows utilities

Related domains:

z.whorecord.xyz

a.tomx.xyz

checkip.dyndns.org

redirector.gvt1.com

r3—sn-4g5ednsd.gvt1.com

update.googleapis.com

How to determine Rogue:Win32/FakePAV?


File Info:
crc32: 1264C230md5: 0a28317440a8d16bf7232782ed6c5f98name: 0A28317440A8D16BF7232782ED6C5F98.mlwsha1: 07c754a5458c0821e836f2f65508a023b9043b2dsha256: c786e131fb32d85dedc1f7920a9b8957ab479a9feef16c39d4002da7f10473a0sha512: 45882957d8f250233180f70c808b6af9b118d5da957ad3cc4afd7da47b4b0314ac3f6ae6a39dd41fb1aae66a61ee618218b4688431411102f2f96c0ed5d29556ssdeep: 24576:LZzR1RcOBZRCDu7Q3WM4YT6U5+QzH8mIeHAYE4:hCOBGDcQ3WgT6MHhrHXEtype: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Version Info:
LegalCopyright: HJF Copyright (C) 2013FileDescription: HJF LtdLegalTrademarks: HJF LtdComments: HJF LtdCompanyName: HJF LtdTranslation: 0x0420 0x04b0

Rogue:Win32/FakePAV also known as:

Bkav	W32.AIDetect.malware1
MicroWorld-eScan	Gen:Variant.Zusy.82997
FireEye	Gen:Variant.Zusy.82997
CAT-QuickHeal	Rogue.FakePAV.mue
McAfee	FakeAlert-FTG!0A28317440A8
Cylance	Unsafe
VIPRE	Trojan.Win32.WindowsExpertConsole.af (v)
Sangfor	Trojan.Win32.Crypt.XPACK
BitDefender	Gen:Variant.Zusy.82997
Cybereason	malicious.440a8d
Symantec	Trojan.FakeAV
APEX	Malicious
Avast	Win32:Adware-gen [Adw]
Kaspersky	HEUR:Trojan.Win32.Generic
NANO-Antivirus	Trojan.Win32.WindowsExpertConsole.cttbal
Rising	Rogue.FakePAV!8.D35 (CLOUD)
Ad-Aware	Gen:Variant.Zusy.82997
Emsisoft	Gen:Variant.Zusy.82997 (B)
Comodo	ApplicUnwnt@#1m8peep76jxrx
F-Secure	Trojan.TR/Crypt.XPACK.Gen7
DrWeb	Trojan.FakeAV.16756
Zillya	Dropper.Dapato.Win32.19958
TrendMicro	TROJ_FAKEAV.SML5
McAfee-GW-Edition	BehavesLike.Win32.DLSponsor.th
MaxSecure	Trojan.Malware.300983.susgen
Sophos	Mal/Generic-R + Mal/FakeAV-UM
Ikarus	Trojan-Dropper.Win32.Dapato
Jiangmin	TrojanDropper.Dapato.olf
Webroot	W32.Rogue.Gen
Avira	TR/Crypt.XPACK.Gen7
MAX	malware (ai score=84)
Antiy-AVL	Trojan[Dropper]/Win32.Dapato
Kingsoft	Heur.SSC.2745077.1216.(kcloud)
Microsoft	Rogue:Win32/FakePAV
Arcabit	Trojan.Zusy.D14435
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Gen:Variant.Zusy.82997
Cynet	Malicious (score: 85)
AhnLab-V3	Trojan/Win32.FakeAV.R97897
VBA32	BScope.TrojanRansom.Blocker
ALYac	Gen:Variant.Zusy.82997
Malwarebytes	Malware.AI.1258086964
Panda	Trj/CI.A
ESET-NOD32	a variant of Win32/Adware.WindowsExpertConsole.AL
TrendMicro-HouseCall	TROJ_FAKEAV.SML5
Tencent	Win32.Trojan-dropper.Dapato.Eom
Yandex	Trojan.GenAsa!a16Ond/CwYI
Fortinet	W32/FakeAV.AC!tr
BitDefenderTheta	Gen:NN.ZexaF.34590.jnKfaassphgi
AVG	Win32:Adware-gen [Adw]
Paloalto	generic.ml
Qihoo-360	Win32/Trojan.Multi.daf