Threat Spotlight

For the week of 06 Oct 2011
Threat 1

Fake antivirus scares users into scam

Threat Name:

Mal/FakeAvJS-A

Users at Risk:

Windows users

Also Known As:

Avira HTML/FakeAlert
McAfee HTML/FakeAV
Microsoft Trojan:JS/FakeIA
Symantec Trojan.Fakeavalert

Removal Instructions:

Please follow the instructions on how to remove generically detected files.

About:

Mal/FakeAvJs-A is a fake antivirus Trojan affecting Windows users.

Fake antivirus, also known as rogueware or scareware, is one of the more common web threats today.

The Trojan appears on webpages that display fake security scans and warnings alerting users to supposed threats on their computer. This scam works by encouraging users to purchase the fake security software from related websites.

Fake antivirus Trojans typically use repeated pop-ups and offers to download the software even if the user initially refuses. In some cases, the fake scanner may automatically install using browser vulnerabilities. HTML-JavaScript is responsible for dynamic content such as scanning progress bars, displays of bogus threats and display pop-ups.

Scammers lure users to the fake scanning pages using social engineering techniques and by search engine optimization. Black Hat SEO techniques poison seemingly relevant search results with links to the infected pages.

The fake scanning software, installed as a result of visiting sites hosting Mal/FakeAvJs-A, is usually a member of the Troj/FakeAV family.

Threat 2

USPS not the one zipping a Trojan

Threat Name:

Mal/Zbot-CX

Users at Risk:

Windows users

Also Known As:

AVP Trojan-Spy.Win32.Zbot.bovm
K7 Trojan ( f1000f011 )
Microsoft PWS:Win32/Zbot.gen!Y
Symantec W32.Qakbot!gen5

Removal Instructions:

Use the instructions for removing generically detected files to delete the file from your computer.

About:

Mal/Zbot-CX is a Trojan for the Windows platform, in the Zbot family of malware (also known as Zeus).

Mal/Zbot-CX is aggressively spammed out in multiple campaigns with various postal service lures.

The spammers behind this scheme use fake USPS notifications such as:

Subject:
Your parcel will be sent to the sender on May 12

Content:
Dear client.
Your package has been returned to the Post Express office.
The reason of the return is "Error in the delivery address."
More information and the tracking number are attached in document below.
Thank you.
USPS Priority Mail.

In this case, attached to the email is a file called Postal_Document#10994.zip or similar filenames, which itself contains a Trojan horse that Sophos detects as Mal/Zbot-CX.

Sophos also detects the ZIP file as Mal/BredoZp-B.

When you receive an email with an attachment like this, you should always use caution before opening it.

Threat 3

Trojan downloads more malware from web

Threat Name:

Troj/Mdrop-DKE

Users at Risk:

Windows users

Also Known As:

Avira TR/Clicker.DH
K7 Trojan ( 748e48fd0 )
McAfee Generic Downloader.x!fxy
Microsoft Trojan:Win32/Dynamer!dtc
Symantec Trojan.Gen.2
Trend Micro TROJ_SPNR.0BFE11

Removal Instructions:

Please follow the instructions for removing Trojans.

About:

Troj/Mdrop-DKE is a Trojan dropper and downloader for the Windows platform.

It is written in VB6.

When executed, the Trojan attempts to contact:

freeme2host[dot]co[dot]cc

It then attempts to retrieve a file from:

freeme2host[dot]co[dot]cc/images/index4[dot]php

At the time of writing, this link was unavailable.

The Trojan drops a .dat file to:

%userprofile%\application data\[random integers].dat

This file is not detect-worth.

© 1997 - 2013 Sophos Ltd. All rights reserved. Legal Privacy Cookie Information