Mal/FakeAv-JO is a proactive detection for a family of fake anti-virus programs, also known as "scareware" and the Trojans that install them.
Members of the Mal/FakeAV-JO family typically display some or all of the following behaviors:
- run automatically
- drop other malwares to the <User>\Application Data\<random name>\ folder
- access the internet and communicate with a remote server via HTTP
- add registry entries to run malware automatically
Members of the Mal/FakeAV-JO family were spread via email messages purporting to contain naked pictures. The Subject line of the email contained one of the following:
naked picture of me
for a good day :)
sending you my nude pic
my naked picture
my hot picture
my hot pic :)
and the Message Body of the email was as follows:
hi sweetie...
sending you my naked pictures i made today, hope you like em :)
kisses..
Attached to the email was a zip file called pictures.zip.
When run, members of the Mal/FakeAv-JO family of malware may attempt to contact the following sites:
www DOT google DOT com
panamericatimes DOT com
toolbar DOT google DOT com
updatessite DOT com
help DOT yahoo DOT com
Members of the Mal/FakeAv-JO family may set the following registry entry:
HKCU\Software\A88601
In addition to the detection provided for Mal/FakeAv-JO, the proactive HIPS technology in Sophos Endpoint Security can prevent the installation of Mal/FakeAv-JO using various rules, including:
HIPS/IPConnect-001
Examples of Mal/FakeAV-JO include:
Example 1
File Information
- Size
- 213K
- SHA-1
- 004c114a2edaf0e778899b06a79071cfab88d8c8
- MD5
- dc57199eb152dd28b8518ae8a98733a4
- CRC-32
- 7955f340
- File type
- Windows executable
- First seen
- 2017-02-27
Example 2
File Information
- Size
- 1.1M
- SHA-1
- 00d7991681928801361eef3434913c5ac711a963
- MD5
- da9ac86767b7de10d0a3c54171ea08b2
- CRC-32
- 6054968b
- File type
- Windows executable
- First seen
- 2016-01-27
Runtime Analysis
Registry Keys Created
- HKLM\SOFTWARE\Microsoft\ESENT\Process\sample\DEBUG
- Trace Level
DNS Requests
Example 3
File Information
- Size
- 213K
- SHA-1
- 00f3abbae1b040fe7938aa64c8267cebd7f9d9a9
- MD5
- b7a5330b0a99b8274c41750639b2e6e4
- CRC-32
- 6f3294cc
- File type
- Windows executable
- First seen
- 2017-03-14