Threat Spotlight

For the week of 26 May 2011
Threat 1

Yet another malware variant for your Mac

Threat Name:

OSX/FakeAV-DOE

Users at Risk:

Mac OSX users

Also Known As:

  • Microsoft Rogue:MacOS_X/FakeMacdef
  • Symantec MACDefender

Removal Instructions:

Please follow the instructions for removing Trojans.

About:

OSX/FakeAV-DOE is a variant of OSX/FakeAV-A malware family. This Trojan is known to be distributed in the file called  

BestMacAntivirus2011.mpkg.zip

Like other members of the OSX/FakeAV-A, this Trojan is distributed by SEO poisoning, which redirects user to a FakeAV "scan" JavaScript that then displays a message that "your computer may be infected."

The user is then prompted to install an application that will supposedly fix the problems found—and ask for administrator credentials in order to install. If the user types in those credentials, the fake antivirus application installs in the /Applications folder and then launches.

OSX/FakeAV-DOE will then repeat the "detection" alert while also opening the pages referenced below in the system's default web browser. The Trojan then prompts the user to register the software to clean up the (fake) infections, bringing up an online payment page where the user can pay by credit card for a one year, two year, or lifetime license. This of course would provide a user's full contact information to the Trojan's authors.

As with other members of the OSX/FakeAV-A family of malware, OSX/FakeAV-DOE may attempt to contact one of the following sites:

gay DOT porn DOT com
buy-viagra-now DOT net
fitish DOT com
www DOT gay DOT com
www DOT porn DOT com
www DOT freebdsmgalleries DOT com


 

Threat 2

Downloader disables digital signature checking

Threat Name:

Troj/DwnLdr-JBV

Users at Risk:

Windows users

Also Known As:

  • Avira  TR/Dldr.Chepvil.K.47 
    AVP  Trojan-Downloader.Win32.FraudLoad.zfoj 
    McAfee Artemis trojan 
    Microsoft TrojanDownloader:Win32/Chepvil.K 
    Trend Micro TROJ_CHEPVIL.AC

Removal Instructions:

Please follow the instructions for removing Trojans.

About:

Troj/DwnLdr-JBV is a downloader that attempts to retrieve and run an executable off the internet.  This threat uses an Adobe PDF document icon to trick users into running it.

When run, the downloader will make a copy of itself in the Application Data folder. It will then disable checking of digital signatures for executables in Internet Explorer and set many file extensions' safety level—including EXE—to low risk. Then it attempts to contact the following sites and IPs, some of which point directly to a target executable:

kkojjors DOT net
searchagree DOT org
cukerbuker DOT com
searchbow DOT org
clickber DOT org
193.105.154.210:80
193.105.154.213:81
193.105.154.213:82

Sample behavior of this threat in Sophos Labs triggered Sophos product detection rules HIPS/RegMod-004, HIPS/RegMod-008 and HIPS/RegMod-009. The downloaded executable is in turn detected by Sophos products as Troj/FakeAV-DRB and Mal/FakeAV-LN.

Threat 3

Another aggressive Bredo spam campaign

Threat Name:

Troj/Bredo-HL

Users at Risk:

Windows users

Also Known As:

  • AntiVir  TR/Crypt.ZPACK.Gen
    AVAST!  Win32:Kryptik-CMA
    Avira  TR/Crypt.ZPACK.Gen
    BitDefender Trojan.Generic.KD.223600
    Dr.Web  Trojan.DownLoader2.43734
    F-Prot  W32/Trojan3.COX

Removal Instructions:

Please follow the instructions for removing Trojans.

About:

Troj/Bredo-HL, a Trojan in the Bredo family of malware, has been aggressively spammed out in multiple campaigns with various dating-related lures. The spammers behind this scheme use fake picture emails such as:

Subject: my naked pic is attached
Content: I love wild sex and looking for a discreet partner.I have my picture attached to this email. Take a look at it and get back if you like what you see.

In this case, a file called mypic.zip is attached to the emails, which itself contains a Trojan that Sophos products detect as Troj/Bredo-HL. (Sophos also detects the ZIP file itself as Mal/BredoZp-B.)

This Trojan can access the internet and communicate with a remote server via HTTP. When it does, it will try to access the following location:

ku3 DOT in
© 1997 - 2013 Sophos Ltd. All rights reserved. Legal Privacy Cookie Information