By Dave Michmerhuizen, Security Researcher
Barracuda Labs researchers have recently seen a particularly nasty variant of Trojan.FakeAV spreading in the wild. We have seen this fake antivirus malware delivered both by way of drive-by exploits and by way of direct links embedded in enticing spam emails. The first sign of infection is the display of a very convincing copy of a Microsoft Security Essentials alert. The malware then prevents the victim from running most programs on their desktop.
When the real Microsoft Security Essentials antivirus program encounters malware on a computer it displays an alert such as this one:
A computer that has been attacked by this strain of Trojan.FakAV immediately displays the following very similar alert:
The difference is that the second alert will continue to reappear even if the user closes it. Any attempt to run Outlook or Internet Explorer, open a command window or even run the Task Manager will be intercepted and the alert will re-display. The inability to run most common programs on the computer leaves the uninformed user with no alternative but to explore the alert. Choosing “Clean Computer” or “Apply Actions” brings up an interesting scan dialog:
A large list of antivirus product trademarks is displayed. Unfortunately, none of the well-known products seem to be able to find any problems. Cleverly interspersed with the reputable programs are images for five bogus antivirus ‘products' including:
Major Defense Kit
Of course, no scanning ever happened, and the programs listed above are all built directly into the malware. They all appear identical except for a name change. If the user installs the first one, this is displayed:
We were particularly amused by the wholesale theft of the GNU “free software” license agreement. Behind the scenes, the installation of any of these bogus ‘products' sends messages across the Internet to IPs 220.127.116.11 and 18.104.22.168, both of which are located in Latvia. The first is the home of a malicious fake porn site and the second hosts a site whose main page simply reads “There is nothing here”.
Once ‘installed' the program goes right to work fixing ‘problems'. Unfortunately some of those problems require a missing “heuristic module”.
Ignoring this requirement results in an error message. Outlook, Internet Explorer, Task Manager – the most basic Windows programs still will not run. Eventually the user might be tempted to click the purchase button for that module:
Fixing the Problem
While it is not possible to open many programs, it is possible to open the file explorer. The malware file is found in the users Application Data folder, which is hidden by default. Once the file is renamed it will no longer be loaded on reboot, and the machine can be cleaned using a reputable antivirus program.
Barracuda Web Filters and the Barracuda Web Filtering Service stop the download of this threat.