Continued from our last post — Virus Encyclopedia vol.3I
In the last volume, we have introduced you with some highly threatening malwares and make you acquainted with its probable symptoms so that you can sense their presence. In this volume, we will learn about the malwares that operate as fake antivirus scan and trick users into spending money on buying fake and useless products. Moreover, we will also read about exploits and how malicious websites attack computers disguised as clean websites.
Discovered by Boeriu Laura, virus researcher, on 5th September 2008, Trojan.Fakeav.BC is a medium intensity Trojan that spreads at a medium rate and has a medium damaging impact on your PC. But if you fall prey to this malware then you may get befooled to spend your money on some faulty products that you don’t require actually. This malware is injected in a system with the motive of tricking the user to pay online for the purchase of the antivirus program that the malware proposes.
The prime symptom that hints towards the presence of this virus in your system is the frequent running of an antivirus program that you haven’t installed in your system of your own. Another significant and noticeable symptom is the presence of C:\Program Files\AAV\aav.exe file in your computer.
As mentioned above, this malware, on being installed on your PC will start running some spurious scans and at the end it will send you a warning alert that your computer is under the clutches of threatening viruses and malware. All these infections are unreal and even the antivirus scan is completely fake but these scans look very genuine and if you decide to respond to these then you will be directed to a window asking for registration. Here registration means making full payment for the antivirus program. The program will show up with the condition that without registration it can’t remove the viruses and other malware it has found in your system.
The only way to identify these fake scans is to understand that they will bear an AV program name that you haven’t installed in your system of your own. Apart from that you must use a strong, genuine, and updated AV program to get this Trojan removed from your system.
Discovered on 4th September 2008 by Daniel RADU, Virus Researcher, Trojan.FakeAntivirus.Gen is rouge antivirus software. It has medium damaging impact but spreads at a highly alarming rate. It operates in a computer by running fake scans to show up the user that there are some serious virus and malware issues that the user must get fixed immediately to keep up the performance of his computer so that it doesn’t get crashed. These kind of antivirus programs are fake and even the issues shown by them as a scan result are completely fake. These are purely meant to peruse the user for buying that antivirus program.
Usually, an average user installs one AV program in his computer and most likely he remembers its name as well. So if you see that your system is running some antivirus scan that you haven’t installed of your own then most likely it is an attack of Trojan.FakeAntivirus.Gen. If these scans are sending you warning notifications describing that your computer has got virus infected and induce you to buy certain virus removal software then most likely your computer has come under the threat of Trojan.FakeAntivirus.Gen.
Presence of Trojan.FakeAntivirus.Gen will trigger the frequent system scan in your computer warning you about the possible virus infections. These scans will not be conducted under your regular AV program officially installed by you on your system rather these will have some other name. Furthermore, these fake scans will make claims like “instant scan of the computer,” “100% detection and removal of known and unknown threats,” “no need for updates,” etc. Trojan.FakeAntivirus.Gen operates as rouge AV software that runs fake scans intimating about fake virus attacks. By proposing the false threats, this virus tries at pursuing the user to buy a removal program to update a license etc.
Discovered on 3rd September 2008 by well-known virus researcher Daniel Chipiristeanu Exploit.SinaDLoader.B is an exploit that infects a computer by running many other exploits. It gets introduced in a computer through malware websites. It has medium damaging capacity and it spreads at a medium rate. It attacks a computer as a group of exploits; if one of the exploits fails to create the impact then it uses another exploit in the sag.
Without running a detection scan from a genuine AV program, it is difficult to detect the presence of this exploit because it doesn’t show up as such obvious noticeable symptoms. It operates in a silent manner.
Exploit.SinaDLoader.B is hosted by different malware websites. If you visit those websites, then there are chances that it might get installed in your computer. It gets installed as sag of exploits and one by one it uses the exploits to get the computer infected completely. There are a hierarchy of exploits and there end motive is to download the “Final” malware in the computer.
Discovered on 3rd September 2008 by Daniel Chipiristeanu, virus researcher, Trojan.HTML.IFrame.F is an invisible faulty iframe inserted within the clean webpages code. This insertion is done mostly trough SQL Injection, which are similar to Trojan.Asprox infections. Trojan.HTML.IFrame.F infections occur only at the end of the html code, which was initially clean.
There are no such specific noticeable symptoms of Trojan.HTML.IFrame.F. Whatever small symptoms it shows up unfortunately occurs only after the computer has got completely compromised.
Trojan.HTML.IFrame.F is basically an iframe within a clean webpage code. It operates with the phenomenon that the main page appears clean, whereas the real infections come through a hidden common gateway interface with [infected_site]/in.cgi?[number_for_infection_campaign] url. The clean website redirects to another infected website with the following specification:
- Domain Name: orentraff.cn
- ROID: 20071002s10001s83561693-cn
- Domain Status: ok
- Registrant Organization: NizovGrisha
- Registrant Name: NizovGrisha
This is an adult infected site with rogue antivirus software (usually XP Antivirus variants) such as Trojan Spammer Tedroo, Trojan Exchange, Trojan.Spy.Zeus and many others.
With knowledge about the aforementioned malwares, hope you will remain alert and keep your AV programs updated.