11/12: FakeAV-GJ Trojan Copies Itself, Creates Files

When first run Troj/FakeAV-GJ copies itself to (System)\msiconf.exe and creates the following files:

Desktop\Gay Fetish Sex.url
User\Application Data\eb6af0a414ab8daf
User\Local Settings\Application Data\Thumbs.db

The following registry entry is created to run msiconf.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
msiexec.exe
msiconf.exe

Registry entries are created under:

HKCU\Software\Rapid Antivirus

More information can be found at this Sophos page.

Comment and Contribute