TrojanDropper:Win32/FakeFlexnet.A is a trojan that changes a certain Internet Explorer setting. It also attempts to connect to a certain website.
Installation
TrojanDropper:Win32/FakeFlexnet.A drops a copy of itself as "%windir%\System32\regw2.exe". It also drops the following files in the current folder:
The file "setup.bat" is a batch file that imports the registry file "setup.reg". The latter is registry data that when run or imported,
registers the TrojanDropper:Win32/FakeFlexnet.A copy as a service, by creating the following registry entries:
In subkey: HKLM\SYSTEM\ControlSet001\Services\FLEXnet Licensing Manager
Sets value: "Type"
With data : "dword:00000010"
Sets value: "Start"
With data : "dword:00000002"
Sets value: "ErrorControl"
With data : "dword:00000001"
Sets value: "ImagePath"
With data : "%windir%\System32\regw2.exe"
Sets value: "DisplayName"
With data : "FLEXnet Licensing Manager for Adobe Products"
Sets value: "ObjectName"
With data : "LocalSystem"
Sets value: "Description"
With data : "This service allows management of licensing for FLEXnet enabled products."
Sets value: "FailureActions"
With data : "hex:00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,53,00,65,00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00"
In subkey: HKLM\SYSTEM\ControlSet001\Services\FLEXnet Licensing Manager\Enum
Sets value: "Security"
With data : "hex:01,00,14,80,a4,00,00,00,b0,00,00,00,14,00,00,00,30,00,00,00,02,00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,00,00,02,00,74,00,05,00,00,00,00,00,14,00,9d,01,02,00,01,01,00,00,00,00,00,01,00,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00"
In subkey: HKLM\SYSTEM\ControlSet001\Services\FLEXnet Licensing Manager\Enum
Sets value: "0"
With data : "Root\\LEGACY_FLEXNET_LICENSING_MANAGER\\0000"
Sets value: "Count"
With data : "dword:00000001"
Sets value: "NextInstance"
With data : "dword:00000001"
TrojanDropper:Win32/FakeFlexnet.A also creates the following registry entry as part of its installation process:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Sets value: "DigitalVersion"
With data: "dword:00000001"
Payload
Changes Internet Explorer settings
TrojanDropper:Win32/FakeFlexnet.A changes Internet Explorer settings such that the computer does not show a warning when it encounters a website with a bad certificate:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "WarnonBadCertRecving"
With data: "dword:00000000"
Connects to a website
TrojanDropper:Win32/FakeFlexnet.A attempts to connect to the following website:
Analysis by Rex Plantado