Since the beginning of October we have seen a variant of fake antivirus malware that belongs to the FakeRean family of rogue security products. FakeRean is distributed by drive-by downloads or is dropped and executed by another malware. It blocks victims from accessing any other legitimate application on an infected machine. Like other fake AV products, it claims to detect infections and displays alerts to scare users into purchasing “protection.” In reality this program does not scan your computer. These rogue malware extort money from PC owners to “fix” their systems. This malware also blocks users from accessing or executing any .exe file on the victim’s machine.
The main difference with this rogue is that it brings up a different GUI depending on the version of Windows it infects.
We can see some GUIs below:
Once executed, the Trojan disables the security system on the victim’s machine.
Like other infections of rogue security products, this variant scares its victims and steals money if they pay for protection. The malware tricks the victims into purchasing the “full” version.
Victims can regain control of their machines by clicking the Manual Activation tab, as shown below, and entering the activation code 3425-814615-3990. This will not remove the malware but it will allow users to work again.
A series of fraudulent progressive bars and scans will show up when the victim clicks Continue.
After the fake updates have been “downloaded,” a victim’s Internet browser will work normally.
The malware is designed to select the color radiant of the GUI that it uses.
The Trojan enumerates the running processes, looking out for AV and security-related services. If found, it terminates them.
A new UPX-packed file is written in memory and executed.
After we unpacked the file, we found many strings that appear on the fake AV GUI.
Advice to Customers
Keep your systems updated with the latest patches. Insure your antimalware software is updated with the latest DATs. Always run a reputable firewall on your machines. And beware of drive-by downloads when visiting any new websites.
Leave a reply