TrojanDownloader:Win32/FakeVimes is a downloading component of Win32/FakeVimes - a family of programs that claims to scan for malware and displays fake warnings of “malicious programs and viruses”. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats.
Members of the Win32/FakeVimes family use various filenames and system modifications that can differ from one variant to the next. Win32/FakeVimes has been distributed with several different names. The user interface and some other details vary to reflect each variant’s individual branding.
When executed TrojanDownloader:Win32/FakeVimes copies itself using a variable file name to the %temp% folder and sets the following registry entry to ensure its execution on Windows start.
Adds value: <variable value>
With data: <%temp%\TrojanDownloader:Win32/FakeVimes executable>
To subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Downloads and executes arbitrary files
TrojanDownloader:Win32/FakeVimes has been observed downloading other components of Win32/FakeVimes in the wild. These components may be detected as Trojan:Win32/FakeVimes. While downloading and installing these additional components, TrojanDownloader:Win32/FakeVimes may display one of the following messages, for example:
The downloaded file is saved to the following location with a filename that differs according to distribution:
C:\Documents and Settings\All Users\Application Data\<random value>\<Rogue Name.exe>
C:\Documents and Settings\All Users\Application Data\ff3ce05\UA2009.exe
Modifies hosts file
Win32/Fakevimes modifies the Windows Hosts file. The local Hosts file overrides the DNS resolution of a web site URL to a particular IP address. Malicious software may make modifications to the Hosts file in order to redirect specified URLs to different IP addresses. Malware often modifies an affected machine's hosts file in order to stop users from accessing websites associated with particular security-related applications (such as antivirus for example). Win32/Fakevimes may modify the Hosts file to redirect search domains to a different site, as in the following examples:
Modifies system settings
Attempts to disable UAC (User Account Control) prompts by modifying the following registry entry:
Contacts remote host
TrojanDownloader:Win32/FakeVimes reports information about the settings of affected machines and successful installations to a remote host. In the wild it has been observed contacting the following host for this purpose:
Analysis by Ray Roberts
Symptoms vary among different distributions of TrojanDownloader:Win32/FakeVimes, however, the presence of the following system changes (or similar) may indicate the presence of this program:
Display of the following images/dialogs, or similar (for example):