Mal/FakeAV-JO

    Category: Viruses and SpywareProtection available since:08 Oct 2019 18:46:58 (GMT)
    Type: Malicious behaviorLast Updated:08 Oct 2019 18:46:58 (GMT)
    Prevalence: Small Number of Reports

    Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

    Mal/FakeAv-JO is a proactive detection for a family of fake anti-virus programs, also known as "scareware" and the Trojans that install them.

     

    Members of the Mal/FakeAV-JO family typically display some or all of the following behaviors:

    - run automatically

    - drop other malwares to the <User>\Application Data\<random name>\ folder

    - access the internet and communicate with a remote server via HTTP

    - add registry entries to run malware automatically

     

    Members of the Mal/FakeAV-JO family were spread via email messages purporting to contain naked pictures. The Subject line of the email contained one of the following:

     

    naked picture of me

    for a good day :)

    sending you my nude pic

    my naked picture

    my hot picture

    my hot pic :)

     

    and the Message Body of the email was as follows:

     

    hi sweetie...

     

    sending you my naked pictures i made today, hope you like em :)

     

    kisses..

     

    Attached to the email was a zip file called pictures.zip.

     

    When run, members of the Mal/FakeAv-JO family of malware may attempt to contact the following sites:

     

      www DOT google DOT com

      panamericatimes DOT com

      toolbar DOT google DOT com

      updatessite DOT com

      help DOT yahoo DOT com

     

    Members of the Mal/FakeAv-JO family may set the following registry entry:

     

    HKCU\Software\A88601

     

    In addition to the detection provided for Mal/FakeAv-JO, the proactive HIPS technology in Sophos Endpoint Security can prevent the installation of Mal/FakeAv-JO using various rules, including:

     

    HIPS/IPConnect-001

    Examples of Mal/FakeAV-JO include:

    Example 1

    File Information

    Size
    213K
    SHA-1
    004c114a2edaf0e778899b06a79071cfab88d8c8
    MD5
    dc57199eb152dd28b8518ae8a98733a4
    CRC-32
    7955f340
    File type
    Windows executable
    First seen
    2017-02-27

    Example 2

    File Information

    Size
    1.1M
    SHA-1
    00d7991681928801361eef3434913c5ac711a963
    MD5
    da9ac86767b7de10d0a3c54171ea08b2
    CRC-32
    6054968b
    File type
    Windows executable
    First seen
    2016-01-27

    Runtime Analysis

    Registry Keys Created
    • HKLM\SOFTWARE\Microsoft\ESENT\Process\sample\DEBUG
      Trace Level
    DNS Requests
    • www.download-leader.com

    Example 3

    File Information

    Size
    213K
    SHA-1
    00f3abbae1b040fe7938aa64c8267cebd7f9d9a9
    MD5
    b7a5330b0a99b8274c41750639b2e6e4
    CRC-32
    6f3294cc
    File type
    Windows executable
    First seen
    2017-03-14

    Download Sophos HomeDownload
    Sophos Home

    Free business-grade security for the home.

    Endpoint Protection