Mal/FakeAV-JO

Category: Viruses and Spyware Protection available since:27 Sep 2018 11:30:52 (GMT)
Type: Malicious behavior Last Updated:27 Sep 2018 11:30:52 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Mal/FakeAv-JO is a proactive detection for a family of fake anti-virus programs, also known as "scareware" and the Trojans that install them.

 

Members of the Mal/FakeAV-JO family typically display some or all of the following behaviors:

- run automatically

- drop other malwares to the <User>\Application Data\<random name>\ folder

- access the internet and communicate with a remote server via HTTP

- add registry entries to run malware automatically

 

Members of the Mal/FakeAV-JO family were spread via email messages purporting to contain naked pictures. The Subject line of the email contained one of the following:

 

naked picture of me

for a good day :)

sending you my nude pic

my naked picture

my hot picture

my hot pic :)

 

and the Message Body of the email was as follows:

 

hi sweetie...

 

sending you my naked pictures i made today, hope you like em :)

 

kisses..

 

Attached to the email was a zip file called pictures.zip.

 

When run, members of the Mal/FakeAv-JO family of malware may attempt to contact the following sites:

 

  www DOT google DOT com

  panamericatimes DOT com

  toolbar DOT google DOT com

  updatessite DOT com

  help DOT yahoo DOT com

 

Members of the Mal/FakeAv-JO family may set the following registry entry:

 

HKCU\Software\A88601

 

In addition to the detection provided for Mal/FakeAv-JO, the proactive HIPS technology in Sophos Endpoint Security can prevent the installation of Mal/FakeAv-JO using various rules, including:

 

HIPS/IPConnect-001

Examples of Mal/FakeAV-JO include:

Example 1

File Information

Size
213K
SHA-1
004c114a2edaf0e778899b06a79071cfab88d8c8
MD5
dc57199eb152dd28b8518ae8a98733a4
CRC-32
7955f340
File type
Windows executable
First seen
2017-02-27

Example 2

File Information

Size
1.1M
SHA-1
00d7991681928801361eef3434913c5ac711a963
MD5
da9ac86767b7de10d0a3c54171ea08b2
CRC-32
6054968b
File type
Windows executable
First seen
2016-01-27

Runtime Analysis

Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\ESENT\Process\sample\DEBUG
    Trace Level
DNS Requests
  • www.download-leader.com

Example 3

File Information

Size
213K
SHA-1
00f3abbae1b040fe7938aa64c8267cebd7f9d9a9
MD5
b7a5330b0a99b8274c41750639b2e6e4
CRC-32
6f3294cc
File type
Windows executable
First seen
2017-03-14