bagn70dol.exe – Fake AntiVirus “Antimalware Doctor”

June 17, 2011 by NightWatcher
Filed under: FakeAV 
: Solved!

Fix it immediately:

The file bagn70dol.exe is a part of Fake Antiviral software.
You must delete the file bagn70dol.exe immediately!
Delete the file bagn70dol.exe without delay!
Kill the process bagn70dol.exe and remove bagn70dol.exe from the Windows startup.

Malware Analysis of “Antimalware Doctor”
Executed: cov700delt.exe
Removed: bagn70dol.exe. Full path: C:\Documents and Settings\Administrator\Application Data\B34B7AF9CB40065433C8C631C37A9A2D\bagn70dol.exe

—————————————————————————————————————————-
Detected by UnHackMe:

Item Name: bagn70dol.exe
Author: Unknown
Related File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\B34B7AF9CB40065433C8C631C37A9A2D\BAGN70DOL.EXE
Type: Registry Run

Removal Results: Success
Number of reboot: 1

—————————————————————————————————————————-
How to quickly detect malware presence?

Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\bagn70dol.exe
Value: “C:\Documents and Settings\Administrator\Application Data\B34B7AF9CB40065433C8C631C37A9A2D\bagn70dol.exe”

Files:
C:\Documents and Settings\Administrator\Application Data\B34B7AF9CB40065433C8C631C37A9A2D\bagn70dol.exe
C:\Documents and Settings\Administrator\Application Data\B34B7AF9CB40065433C8C631C37A9A2D\enemies-names.txt
C:\Documents and Settings\Administrator\Application Data\B34B7AF9CB40065433C8C631C37A9A2D\local.ini
—————————————————————————————————————————-
Classification:

Antivirus Version Last Update Result
Kaspersky 9.0.0.837 2011.06.11 Trojan.Win32.Jorik.Fraud.wr
Microsoft 1.6903 2011.06.11 VirTool:Win32/Obfuscator.PS
NOD32 6198 2011.06.11 -

—————————————————————————————————————————-

MD5 c49686362b0981c5493b80f39d0855df

SHA1 e43ec1d66c3603bf22f5436d4f5bdadc74ce76c3

SHA256 6f7b3bc2bcfad64c4891881ffbf5437d9831818588a526620e0a51938e3d8038

—————————————————————————————————————————-


Installation
When the program is executed, it creates the following registry subkeys and values:

———————————-
Keys added:4
———————————-
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor
HKCU\Software\Antimalware Doctor Inc
HKCU\Software\Antimalware Doctor Inc\Antimalware Doctor

———————————-
Values added:19
———————————-
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\bagn70dol.exe: “C:\Documents and Settings\Administrator\Application Data\B34B7AF9CB40065433C8C631C37A9A2D\bagn70dol.exe”
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor\DisplayIcon: “C:\Documents and Settings\Administrator\Application Data\B34B7AF9CB40065433C8C631C37A9A2D\bagn70dol.exe,0″
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor\DisplayName: “Antimalware Doctor”
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor\UninstallString: “C:\Documents and Settings\Administrator\Application Data\B34B7AF9CB40065433C8C631C37A9A2D\bagn70dol.exe /uninstall”
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor\InstallLocation: “C:\Documents and Settings\Administrator\Application Data\B34B7AF9CB40065433C8C631C37A9A2D\”
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor\NoModify: 0×00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor\NoRepair: 0×00000001
HKCU\Software\Antimalware Doctor Inc\Antimalware Doctor\datarl1: “KRoAGVdOQwQUFgA2QQoa”
HKCU\Software\Antimalware Doctor Inc\Antimalware Doctor\datarl2: “KRoAGVdOQwIPFgA2GwIWQRsl”
HKCU\Software\Antimalware Doctor Inc\Antimalware Doctor\datarlA: “”
HKCU\Software\Antimalware Doctor Inc\Antimalware Doctor\url_update_time: “6/16/2011 10:09:50 PM”
HKCU\Software\Antimalware Doctor Inc\Antimalware Doctor\install_time: “6/16/2011 10:09:50 PM”
HKCU\Software\Antimalware Doctor Inc\Antimalware Doctor\database_version: “240″
HKCU\Software\Antimalware Doctor Inc\Antimalware Doctor\virus_signatures: “60496″
HKCU\Software\Antimalware Doctor Inc\Antimalware Doctor\affid: “7070010100″
HKCU\Software\Antimalware Doctor Inc\Antimalware Doctor\coid: “B34B7AF9CB40065433C8C631C37A9A2D”
HKCU\Software\Antimalware Doctor Inc\Antimalware Doctor\nsaftscann: “1″
HKCU\Software\Antimalware Doctor Inc\Antimalware Doctor\nsa: “1″
HKCU\Software\Antimalware Doctor Inc\Antimalware Doctor\nsaftscanunp: “1″

———————————-
Files added:3
———————————-
C:\Documents and Settings\Administrator\Application Data\B34B7AF9CB40065433C8C631C37A9A2D\bagn70dol.exe
C:\Documents and Settings\Administrator\Application Data\B34B7AF9CB40065433C8C631C37A9A2D\enemies-names.txt
C:\Documents and Settings\Administrator\Application Data\B34B7AF9CB40065433C8C631C37A9A2D\local.ini

———————————-
Folders added:1
———————————-
C:\Documents and Settings\Administrator\Application Data\B34B7AF9CB40065433C8C631C37A9A2D

———————————-
Total changes:27
———————————-

—————————————————————————————————————————-
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com


Recommended: UnHackMe anti-rootkit and anti-malware

Premium software: RegRun Security Suite (Good choice for removal and protection)

Written by

Malware Hunter.

Tags: Antimalware Doctor, bagn70dol.exe, Fake AntiVirus

Comments

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

You must be logged in to post a comment.