Published: June 12 2009, 01:57 AM
by Mary Grace Gabriel

CA ISBU Research Lab receives a large number of malicious samples on a daily basis, many of which are found to be Rogue Antivirus applications belonging to the extremely prevalent malware family, Win32/FakeAV.  

I encountered an interesting sample of Win32/FakeAV recently, because it is not the usual Rogue Antivirus applications we come across in our labs. This time around, this variant imitates Microsoft Windows Malicious Software Removal Tool (MSRT), as well as promoting Microsoft Office upgrade and other trusted Antivirus products.

Fake Microsoft MSRT Warnings

When the installation package is executed, it will display the fake alert in the system tray as seen in Figure 01:

    
                                                [Figure 01 – Fake Alert System Tray]

Then, it will display the fake GUI for Microsoft Windows Malicious Software Removal Tool scanning your system and it will display the scan result as shown in Figure 02:

    
                                                  [Figure 02 – Fake MSRT Result]

When the user clicks the Finish button, it will display the following GUI promoting trusted Antivirus products as shown in Figure 03:

    
                                                     [Figure 03 – AV products]

However, when the user clicks the Cancel button, it will display another fake alert on system tray as seen on Figure 04:

    
                                               [Figure 04 – Fake Alert System Tray]

Another strategy to convince the user to purchase the trusted Antivirus application that it offers is to display a fake error when any of the following Peer-To-Peer applications is executed:

• BearShare.exe
• FrostWire.exe
• LimeWire.exe
• Phex.exe
• Phex_debug.exe
• Shareaza.exe

Example of a fake error message displayed containing a misspelled word:
 
    
                                                          [Figure 05 – Fake error]

Fake Windows Security Center Warning

Another strategy is by imitating the Windows Security Warning.

First, it will display another fake alert in the system tray as seen on Figure 06 with another misspelled word:
 
    
                                 [Figure 06 – Fake Windows Security Center Warning]

Second, it will pop the following GUI that imitates the Windows Security Center:
 
    
                                        [Figure 07 – Fake Windows Security Center GUI]

Clicking the Recommendations button, will take you to the website www.oem-micro-store.com/winadvisor_avir which is currently down as of the moment.

Other Dubious Offers

This variant does not only promote trusted Antivirus products, it also offers other products such as Microsoft Office upgrade.

When Microsoft Word is opened, it will display the following warning offering the user to purchase a dubious Microsoft Office upgrade, see Figure 08:
 
    
                                                 [Figure 08 – Microsoft Word warning]

When the Yes button is click, it will take you to the following website to purchase the upgrade:
 
    
                                                 [Figure 09 – Microsoft Word upgrade]

Always remember to keep updating your CA security products' signatures.

Till next time…

Share this post:  Email

Share