12345

1/07/2011

Fake antivirus SW disguised Adobe Flash Player's installation file.

1. Introduction

Recently, fake anti-virus SW disguised as an "Adobe Flash Player" has been reported.
Upon installed this malicious program, it can show false infection information of normal file and induce user to pay for fix them.
To avoid from this malicious software, users need to be careful on using and downloading programs on internet.

2. Spreading path and symptoms of infection

Downloaded fake anti-virus program is masqueraded as an Adobe Flash Player's installation file and can induce user to recognize normal installation file.


Upon executed Adobe_FlashPlayer_10.1.305.31.exe, it will show fake diagnosis screen and warning screen looked like by Microsoft.

It induces user to click "Apply action" button for removing security threats, and to click "Apply action" button will install fake anti-virus software.


After completed installation, reboot is needed.


After rebooted, window desktop will be changed "Protected Mode" and it will perform system scan.
Currently, this program is designed to induce general users to recognize normal program with using its name "Windows Optimization Center".


After the system scan is completed, it will show fake result screen to user.


It induces user to buy license and pay for fixing fake diagnosed files.


<Screen for purchasing license>

<Screen for payment>

Executing Adobe_FlashPlayer_10.1.305.31.exe will create certain files on following path.

[Generated files]
(User account folder)C:\Documents and Settings\Administrator\Application Data\protect.exe

- (User account folder) is C:\Document and Settings\(User account)\Application Date on general.

Furthermore, it can fix registry value for running itself on boot.

[Register registry value for running on boot]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- Value name : "Windows Optimization Center"
- Value data : "C:\Document and Settings\Administrator\Application Data\protect.exe"

[HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon]
- Value name : "Shell"
- Value data : "C:\Document and Settings\Administrator\Application Data\protect.exe"

3. How to prevent

This kind of fake anti-virus program can show fake infected screen and induce user to pay for fixing them.
To use PC safely from security threats of these malicious files, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Anti-Virus/Spyware” for detecting such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

 - Trojan/W32.FakeAV.2512384

4 comments:

  1. I do believe that we should not install free and fake antivirus software in our system. I would better suggest to go for some good anti spyware.

    ReplyDelete
  2. This is the place the main discharge is regularly an antivirus trial adapted to give selective clients an essence of the capacities before building the whole bundle. Think about these kind of antivirus trial programs as irregular examples or assessment forms that help clients separate and request advancement in those particular fields that really affect their business.https://purr-dev.lib.purdue.edu/members/1708/blog/2016/09/mcafee-antivirus-programs-for-business-or-personal-uses

    ReplyDelete
  3. I do believe that computer users should not use free antivirus software which doesn't come with full functionalities. Using a paid antivirus guarantees to protect your PC from unknown viruses, spyware and other internet threats.

    ReplyDelete
  4. If you dont like antiviruses, or prefer any other apps to antivirus, you should take a closer look at http://spying.ninja/how-to-detect-spyware-on-android/

    ReplyDelete