BitDefender weekly review – Rogues are sill out there ...
Trojan.FakeAV.OT
This new piece of rogue software is promoting "System Security". When executed, the application creates a copy of itself in %appdata%\[random].exe, where [random] is an 8 digit random number. It registers this executable to run at system startup by making changes to the registry and then deletes itself using the batch self-delete technique.
When the e-threat is executed at startup, it will mimic a full system scan alerting the user of numerous infections. All of them are fake and have only one purpose: make the victim buy the product to "clean" his computer.
Win32.Worm.IMStealer.A
When executed, the worm makes a copy of itself in %temp%\svchost32.exe and registers the executable to run at system startup.
The worm uses two distinct methods to spread. The first is the autorun.inf method. It creates copies of itself in the root folder of every local drive, network drive and removable drive along with an autorun.inf file which points to the executable.
The second spreading routine is by using instant messengers like Skype, Yahoo! Messenger, Windows Live Messenger, AIM and ICQ. It searches for opened windows of these applications and filters data (user accounts) from several zones of interest: input boxes, lists, sub-windows. The it will try sending a copy of itself to the user with the name MichaelJackson_WTF.pif. It accomplishes this by mimicking mouse and keyboard actions.
Information in this article is available courtesy of BitDefender virus researchers: Marius Vanta and Ovidiu Visoiu
Copyright 2011. Site powered by Bitdefender
Guest said on Aug-10-2009 12:39
mike said on Aug-12-2009 10:20
Mint said on Aug-13-2009 06:40
The malware writer use a trick to makes user to download a "fake" security apps.