CRYP_FAKEAV-29


 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 REPORTED INFECTION:

  • Threat Type: Others

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This is the Trend Micro heuristic detection for suspicious files that manifest similar behavior and characteristics as the following malware:

FAKEAV variants arrive on systems via compromised websites, spammed malicious links; poisoned search results that lead to FAKEAV download pages, malicious posts on social networking sites, and malicious advertisements. They may also be downloaded by other malware.

Since 2008, FAKEAV rode on the popularity of disastrous events such as the 9/11 attacks or the Great East Japan Earthquake. FAKEAV also takes advantage of celebrity names like Paris Hilton in order to victimize users. Cybercriminals behind FAKEAV scare its victims by showing fake system infections until the victims download or decide to purchase the fake antivirus product.

Other routines of FAKEAV malware include connecting to adult sites and blocking rootkit detection tools such as GMER and Rootkitbuster to prevent easy removal from affected systems. Later variants of FAKEAV target Macs and spread via social networking sites such as Twitter and Facebook.

There are various operators behind pushing FAKEAV malware. Apart from the creators of the fake anti-malware file, there are traffic redirectors, site compromisers, bot herders, exploit kit creators, and other cybercriminal underground entities that push, and benefit, from the operation of FAKEAV.

This Trojan employs registry shell spawning by adding certain registry entries. This allows this malware to execute even when other applications are opened.

If your Trend Micro product detects a file under this detection name, do not execute the file. Delete it immediately especially if it came from an untrusted or an unknown source (e.g., a Web site of doubtful nature). However, if you have reason to believe that the detected file is non-malicious, you can submit a sample for analysis. Detailed analysis will be done on submitted samples, and corresponding removal instructions will be provided, if necessary.

  SOLUTION

Minimum Scan Engine:

9.300

VSAPI OPR PATTERN File:

7.499.00

VSAPI OPR PATTERN Date:

28 Sep 2010

NOTES:

Submitting Samples

If you identified suspicious files, you may submit them to us. Sample files for submission must be in ZIP format and should be password-protected. To submit a ZIP file, file compression software such as Winzip must be used. A trial version of Winzip is available here.

To compress a file, please follow the steps below:

  1. Right-click on the file and select Add to Zip.
  2. Enter a file name for the zip file.
  3. On the Options menu, choose Encrpyt. In the input box, type virus. This serves as the password for the zip file.
  4. Send the sample through the following channels:
    • For Trend Micro Premium customers, please submit a virus support case by clicking here:
    https://psc.trendmicro.com/eservice_enu/start.swe?SWECmd=Start&SWEHo=psc.trendmicro.com
    • For Trend Micro non-Premium customers, please contact your local support network by visiting your Trend Micro regional website.
    • For non-Trend Micro customers, scan your system with HouseCall, our highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plug-ins, and other malware.


Did this description help? Tell us how we did.