New Scareware Tactic Lures in More FAKEAV Buyers!

TrendLabs recently received a new FAKEAV sample, which they now detect as TROJ_FAKEAV.BLW. Like previous variants, it poses as a legitimate antivirus application that displays false detections, disables firewall and security center functions, and produces pop-up warnings to force affected users to purchase rogue antivirus software.

Unlike its predecessors, however, this sample uses the file name AV.exe. If users are not into computers, they may think this is a valid antivirus application. It uses registry shell spawning as autostart technique, which means the malware is executed every time a user runs files that have the .EXE file name extension. It also uses any of the following application names:

• %1 Antispyware 2010
• Antivirus %1 2010
• %1 Guardian 2010
• %1 Guardian
• %1 Defender 2010
• %1 Antivirus
• %1 Antivirus 2010
• %1 Antivirus Pro
• %1 Antivirus Pro 2010
• %1 Internet Security
• %1 Internet Security 2010

Note that %1 refers to the OS installed on the affected machine. This makes the malware flexible in that it is able to take advantage of the features of an infected user’s OS.

Whenever an infected user attempts to access the Internet via Internet Explorer (IE) or Firefox, this malware displays warning messages saying these browsers are malicious. (Internet Explorer on the left and Firefox on the right)

This may cause the user to panic since these are two of the most commonly used browsers. Users who are tricked into purchasing the bogus product are redirected to multiple rogue antivirus domains.

This list ensures that the malware can access other domains even if some have already been taken down. Lastly, this malware does not allow users to execute files from security companies, which prevents the affected user from scanning the affected computer.

When faced with these kinds of false alarms, I would urge users to calm down and avoid purchasing rogue antivirus products. This does not help solve the problem. Instead, it makes things even worse, as this is just a waste of hard-earned money.

This is only the latest tactic seen from the perpetrators of rogue antivirus malware. Recently, advanced threats researchers spotted another FAKEAV run using Sandra Bullock’s recent marital difficulties to spread malware. If you have any questions about this type of malware, please feel free to contact me and I will be glad to answer any of your questions.