Antidetect.AB , a Malware uses Microsoft Register Server to avoid detection by Anti-Virus programs.
The Dell Sonicwall Threats Research team observed reports of a New Malware family named GAV: Antidetect.AB actively spreading in the wild. This time attacker uses Microsoft Register Server and Manipulates windows registry to avoid detection by Anti-Virus programs.
![](http://software.sonicwall.com/gav/Antidetect.AB_files/image001.png)
Infection Cycle:
The Malware uses the following icon:
![](http://software.sonicwall.com/gav/Antidetect.AB_files/image002.png)
Md5:
-
9d994203fc51b31aa3f661a1dfe5374b
The Malware adds the following file to the system:
-
Malware.exe
-
%Userprofile%Local SettingsApplication Data[Random Name][Random Name].exe
-
The Malware adds the following keys to the Windows registry to ensure persistence upon reboot:
-
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
-
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
![](http://software.sonicwall.com/gav/Antidetect.AB_files/image003.png)
The malware manipulates the windows registry; even if you run Msconfig.exe or Regedit.exe you would not be able to see any evidence of the malware.
Here is an example:
![](http://software.sonicwall.com/gav/Antidetect.AB_files/image004.png)
Once the computer is compromised, the malware copies its own executable file to %Userprofile%Local SettingsApplication Data folder With Random name and then injects Regsvr32.exe to collects information from target system.
![](http://software.sonicwall.com/gav/Antidetect.AB_files/image005.png)
Here is an example of the Malware injection:
![](http://software.sonicwall.com/gav/Antidetect.AB_files/image006.png)
The malware tries to transfers your personal information to its own C&C server such as following domains:
![](http://software.sonicwall.com/gav/Antidetect.AB_files/image007.png)
![](http://software.sonicwall.com/gav/Antidetect.AB_files/image008.png)
![](http://software.sonicwall.com/gav/Antidetect.AB_files/image009.png)
Command and Control (C&C) Traffic
Antidetect.AB performs C&C communication over 80 and 443 ports. The malware sends your system information to its own C&C server via following format, here are some examples:
![](http://software.sonicwall.com/gav/Antidetect.AB_files/image010.png)
![](http://software.sonicwall.com/gav/Antidetect.AB_files/image011.png)
We have been monitoring varying hits over the past few days for the signature that blocks this threat:
![](http://software.sonicwall.com/gav/Antidetect.AB_files/image012.png)
SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:
-
GAV: Antidetect.AB (Trojan)