Trojan-Spy.Win32.GreenScreen

October 4, 2008 on 11:16 am | In Malware analysis | 1 Comment

Is a real threat, but it is being used to scare users. By what looks to be a new member of the FakeAlert family. The usual Zlob infection method is done by offering fake codecs or from cracks/keygens.
Trying to trick users into buying a so-called antivirus or antispyware application, it claims your computer has been infected with a Trojan that has the ability to store encrypted screenshots of the users activity, so the malware-writer can have a look at them when he so wishes.
And of course offers you the perfect “solution”.

One way to recognize the infection in a HijackThis log is the presence of a ShellServiceObjectDelayLoad (O21) entry with these characteristics.
O21 – SSODL: InfoUtilSh – {06F61173-2D9A-8BFA-E6CF-0427119F25AD} – C:\Program Files\fsrpikb\InfoUtilSh.dll
where InfoUtilSh can be anything. The name is random, but repeated in the filename.
There are a number of known CLSIDs. I will list the ones I have found sofar further down.
The CLSID and the foldername ({06F61173-2D9A-8BFA-E6CF-0427119F25AD} and fsrpikb) are a pair, so you will find the same combination over and over, just with different filenames.
The foldernames sofar always have a name consisting of 6 or 7 letters.

PC Threat.com has a description with a screenshot of the fake message.

A list of known CLSID s and the accompanying foldernames:

{06F61173-2D9A-8BFA-E6CF-0427119F25AD} fsrpikb
{089B34BF-7B9F-72C8-B009-02836522926D} kaijrnf
{191AC1A7-66E5-1C75-D7C9-014D8DAD4EF2} xsbbbfg
{199C5732-24EF-9AE4-8BCB-0BE29CFE6580} ebtpojb
{2A364A72-CB04-DCC0-E1D9-060EF07A8A8C} sjhyddb
{2B645EC5-9487-94EE-BAD8-062C3CCFFC35} hubjemd
{2E971D22-98EA-D1B7-7544-055387C87792} fotwqyd
{2EF26493-ECFD-4DD1-ABDF-03A50288E9C3} ednppsf
{36136E14-7DEF-FB91-FA1E-08E42B7C04D5} vepwqt
{3D121C4F-952E-8161-293A-03E34EF94D7E} smupvr
{42A8F895-67E9-FA8E-EC1E-02EF6855EF9F} gvepnwd
{437CC218-806E-D9D1-177A-03D87A9D27E7} ossngzf
{48D9D434-E323-1211-205D-0761CE46F854} uzsehcd
{49F446EC-8CAD-63A0-BE77-08FC62F01A88} mhhmdsf
{49F446EC-8CAD-63A0-BE77-08FC62F01A88} mhhmdsf
{4AB2E0EB-83EF-B245-B76F-0354B8EB5923} qpujdcc
{4C07C461-D1E0-F56D-2AB9-0B8713BF6090} vswrlye
{4D24CB0E-5D02-ACFE-635E-0B7A265F273F} stngxvf
{4F4E81A0-D55E-4A9B-E009-0287F52E5AA4} xiayqpc
{5485E2FC-D135-B0E3-2D2F-0514C3DF9220} wfazvif
{56095251-6E37-8DBE-D932-079443198C43} fscxfub
{57600231-BB6E-EF9B-AF8F-01096E073D05} uapclud
{5F64AD74-63D3-E0F5-A0AE-03D622DEBD6A} nyvlcrd
{6B2EB9C8-AD05-B99C-B950-077B618EA53E} gtrwqkb
{6FA74F28-6F15-8EC1-5A71-04DC25F14DFF} zycpyxe
{71939439-361B-7503-055F-06EF062B9DC5} hesthwd
{73027D5C-74F2-DA89-F67A-0948F759EA03} ieuprxb
{7371173B-E2BA-EA98-DEEE-04AD3E7AF03E} eblnryc
{74230B65-F03E-381D-303E-0B9E0E267CD2} fjdgbff
{7520B774-AE02-FB5D-B4D3-01FE7E3421EF} qaoxqtd
{75654A9E-A79F-4E06-71E8-007F9C629290} rdwnpvb
{75CFD77D-4CC3-7526-C0CA-07A7129CC81B} dknxvag

Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds. Valid XHTML and CSS. ^Top^