Is it a fake Microsoft alert? Is it FakeAV? No, it’s both!
Published:
October 20 2009, 01:06 AM
by
Mary Grace Gabriel
Is it a fake Microsoft alert? Is it FakeAV? No, it’s both!
At CA’s Internet Security Business Unit (ISBU), we recently received new spammed emails disguised as legitimate email from Microsoft. This spammed email contains the email subject “Conflicker.B Infection Alert” and requests the user to scan their system for possible infection by first installing the attached file [Figure 1].
[Figure 1 – Fake notification from Microsoft]
The spammed email looks like a legitimate email from Microsoft and alerts the recipient that their Internet Service Provider’s network is supposedly infected with the Conficker worm. You may notice that even though the sender’s name is “Microsoft Windows Agent”, the email address used is the same as the recipient’s email address (the full address is partially obscured for privacy reasons).
When the user clicks the attachment, it displays a pop-up message in the system tray, advising the user that his or her computer is infected [Figure 2]:
[Figure 2 – Pop-up message in System Tray]
If the user clicks anywhere on the fake pop-up warning, the malware connects to any of the following domains:
http://abumaso3thkamid.com
http://bulerkoseddgasko.com
http://ertanue5skayert.com
http://konitorswabure.com
http://ofaderhpabewuit.com
http://pafefrsbasedos.com
http://tertfunwavosgav.com
http://uliope3wrdanogad.com
http://uvgadferbotario.com
The malware then downloads “lizkavd.exe”, which, once executed, will download and execute the main installer and other malicious component files of known rogue Antivirus Software. During this process, the following GUI will be displayed, showing the progress of download [Figure 3].
[Figure 3 – GUI showing download progress]
These files are detected by CA as Win32/AntivirusPro2010.AW.
Again, we advise users to beware of these kinds of emails and ensure that your CA Security Products are updated with the latest signatures.