Threat Spotlight

For the week of 18 Sep 2009
Threat 1

Malware spoofs threat alerts to force purchase of fake software

Threat Name:

Email threat: Mal/EncPk-JX

Users at Risk:

Windows users

Also Known As:

  • Total Security 2009
  • McAfee: The FakeAlert-WinwebSecurity.gen trojan
  • Microsoft: Trojan:Win32/Winwebsec
  • Kaspersky: Packed.Win32.Krap.w

Removal Instructions:

Please follow these instructions on how to remove generically detected files.

About:

Mal/EncPk-JX is a protection mechanism used exclusively by malware. This particular packer is found on a wide variety of different types of malware.

One kind of malware that commonly uses this packer is a family of (almost always Russian) fake anti-virus calling itself "Total Security 2009." When Total Security 2009 is activated, it displays a window that initiates a security scan and reports several bogus threats as discovered. It also uses a balloon pop-up from the taskbar to warn users of threats that are not actually on their computer.

After displaying the fake threat information, Total Security 2009 asks users whether they want to carry on unprotected or pay to remove the "threats." If the user chooses to purchase the fake threat-removal software, they will be taken to a website based in Russia.

In order to install itself, Total Security 2009 creates files and shortcuts in these locations:

  • <User>\Application Data\<random 8 digit decimal number>\<same number>.exe
  • <Desktop>\Total Security 2009.lnk
  • <Start Menu\Programs>\Total Security\Total Security 2009.lnk

It also adds a registry entry to ensure that it is run each time a user logs on:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<8 digit number>
<path to executable>

And a fake entry in the Add or Remove Programs list in the control panel.

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemSecurity2009

Choosing to remove the threat using the control panel will not actually remove it from the affected computer.

Threat 2

Virus targets files within the Delphi compiler

Threat Name:

Virus: W32/Induc-A

Users at Risk:

Windows users with a Delphi compiler

Also Known As:

  • Kaspersky: Virus.Wind32.Induc.a
  • AVIRA: W32/Induc.A
  • McAfee: W32/Induc
  • Trend: PE_INDUC.A
  • Microsoft: Win32/Induc.A

Removal Instructions:

If you have received an application infected with W32/Induc-A, please contact the supplier of the software. Inform them of the infection, and please ask them to contact either Sophos or the technical support of their anti-virus supplier as appropriate. When they have cleaned up their Delphi installation, they should then be able to supply you with clean versions of their software.

If you are a Delphi developer, or if you have Delphi installed and have possibly executed an infected application, then as well as cleaning up infected executables, you will also need to clean your Delphi installations. By default, Sophos products do not scan .dcu and .pas extensions, so you will need to turn on the option to scan all file extensions and do a full system scan. Sophos Anti-Virus will then detect infected SysConst.dcu files. Replace these with clean backups. If the virus has copied the original SysConst.dcu to SysConst.bak then copy SysConst.bak to SysConst.dcu. Leaving a copy of Sysconst.bak should prevent reinfection.

When you have cleaned Delphi, recompile clean versions of your software to redistribute to your customers and to replace the infected executables.

About:

W32/Induc-A is an unusual virus in that it does not infect Windows programs directly. Instead, it specifically targets Delphi files via the Delphi programming environment. Delphi compilers vulnerable to the W32/Induc-A virus infection include v4.0, v5.0, v6.0 and v7.0.

The operation of W32/Induc-A is as follows:

  1. Backup the original copy of sysconst.dcu of the Delphi programming environment to sysconst.bak
  2. Copy the file sysconst.pas to \Source\Lib and add the viral script code to the file
  3. Perform a runtime compilation of the version of sysconst.pas that contains the virus code, thereby producing an infected version of sysconst.dcu
  4. Delete the malicious sysconst.pas file

Whenever Delphi compiles a new application, the now-infected library file sysconst.dcu will be inserted into the new application, ready to infect other computers which have an installed Delphi programming environment.

The distribution of this virus has been quite large. This virus has not only affected legitimate software vendors but also malware authors, as described on the SophosLabs blog by Stuart Taylor.

Sophos Anti-Virus detects these files as W32/Induc-A and W32/Induc-B. Infected samples of the compiled sysconst.dcu files are being detected as Mal/Induc-A while infected sysconst.pas file samples are being picked up as Mal/Induc-B.

Threat 3

Facebook Fan Check virus scare leads to malware

Threat Name:

Malware: Troj/FakeAV-ZT

Users at Risk:

Windows users searching for information on a Facebook virus hoax

Also Known As:

  • Kaspersky: Trojan-Downloader.Win32.FraudLoad.wqwz
  • AVIRA: TR/Dldr.FraudLoad.wqwz
  • McAfee: Generic FakeAlert!ci trojan
  • Microsoft: Infected: Trojan:Win32/FakeXPA

Further Reading:

Graham Cluley's blog: Facebook Fan Check virus scare leads to malware

Removal Instructions:

Please follow these instructions on how to remove Trojans.

About:

Troj/FakeAV-ZT is a fake anti-virus installer written in Delphi and packed with a polymorphic packer containing anti-emulator and anti-VM techniques. Troj/FakeAV-ZT is distributed using malicious websites promoted in search engine results for phrases like “Facebook Fan Check virus,” in other words, searches motivated by false rumors that the popular Facebook application “Fan Check” contained a virus. The malicious websites appearing in these searches contain Mal/FakeAvJs-A, which then distributes the Trojan.

Once it is active, Troj/FakeAV-ZT contacts Microsoft.com to check that it has an available internet connection and will then try to contact sites in China and the Netherlands. The Trojan also creates a registry entry:

HKLM\SOFTWARE\<32 char hexadecimal random key>

The Trojan then prevents the user from running the following security and analysis tools:

  • procexp
  • procmon
  • regmon
  • filemon
  • tcpview
  • unlocker
  • wireshark
  • vbox
  • httpanalyzer
  • hijackthis
  • ollydbg

Troj/FakeAV-ZT is also able to collect information about the infected computer, including system BIOS information, the user's version of Windows and registered license as well as CPU information.

The code of this Trojan is similar to that of another fake anti-virus product, known as "Personal Anti Virus," detected by Sophos as Troj/PAV-Gen.

© 1997 - 2013 Sophos Ltd. All rights reserved. Legal Privacy Cookie Information