FakeAV — Now with Porn!
Once upon a time, surfing to a compromised porn site exposed the user to fake antivirus software through driveby downloads.
I recently came across a sample that turns this concept around. Running the executable file does nothing at first but after a random time interval it pops up a window while pretending to run a scan.
Standard fake AV window. Nothing new here.
When this fake scan completes, the user is prompted.
No, thanks.
Twice. Notice how the wording has changed forcing the user to read carefully?
No! Uh... I mean yes.
In addition to constantly warning the user of non-existent attacks and infections, this fake AV software does something new. Every few minutes it launches an instance of Internet Explorer and navigates to an adult web site. The user could easily leave the computer unattended and come back to find the screen full of porn.
Screenshot removed by editor
Sophos detects this rogue AV as Troj/FakeVir-NV
Posted on July 17th, 2009 by fnh, SophosLabs CAFiled under: General
Windows 7 security - A great leap forward or business as usual?
