Mal/FakeVirPk-A is a program packed with a protection system typically used by malware authors.
Files detected as Mal/FakeVirPk-A are frequently fraudulent security programs.
Some variants of this family spread by using SEO techniques to poison
topical search terms and even by typo-squatting on popular industry
domain names (http://www.sophos.com/blogs/sophoslabs/v/post/8885).
The following behavior has been observed by some variants of
Mal/FakeVirPk-A:
The sample will copy itself to:
<User>\Application Data\<8 digit random number>\<same random number>.exe
And create the following two files:
<DESKTOP>\Security Tool.lnk
<STARTMENU>\Programs\Security Tool.lnk
A run key will be created that executes the exe on system startup, such as:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
98617132
<User>\APPLIC~1\98617132\98617132.exe
The sample will be blocked by HIPS/RegMod-001.
The malware will also attempt to contact an ip address over HTTP,
including certain information about the infected computer in the request,
e.g.:
http:// 178 . 32 . 68 .
66/in.php?affid=93101%26url=5%26win=Windows%20XP+3.0%26sts=93101|9|931|01|1|US|1|6|7|1|184|0
Registry entries may be also be created under:
HKLM\SOFTWARE\<random number>