Site icon Panda Security Mediacenter

The Thousand-Faced Rogue

We want to inform you of a new flood of email messages that seem to contain a postcard but are actually distributing malware. Concretely, we’ve seen several thousands in a few hours.

It’s not the first time we see emails like this in circulation, as subjects like “You’ve received a postcard” are very recurrent.

The message is like the following:

The message seems to have been sent by a member of your family through a legal website to download and send postcards, so that users don’t suspect. In order to view the postcard, you have to open the attached file. It’s a file compressed with zip and if you run it, a rogueware program will be installed in your computer, which is different depending on the message and the operating system you have.

The following are some of the names of the fake antivirus that can be installed in your computer if you run this file:

% Antispyware 2010

Antivirus % 2010

% Guardian 2010

% Guardian

% Defender 2010

% Antivirus

% Antivirus 2010

% Antivirus Pro

% Antivirus Pro 2010

% Internet Security

% Internet Security 2010

where % stands for the operating system of the computer in which it is going to be installed. Some examples: XPAntispyware2010, Vista Guardian, Win 7 Antivirus Pro.

Let’s take as an example Antivirus XP 2010 and see the actions it carries out once it has been installed in the computer.

As every rogueware, it starts scanning the system to check if the computer is infected.

Once finished, it displays a list with the malware that has detected in your computer to make you believe that you’ve got a problem and that this program will offer you the solution:

However, all the malware it has detected makes reference to unexisting files, so the only threat you have is the own rogue.

Additionally, it prevents the execution of programs whose window title makes reference to the following programs:

Firefox

Several security suites.

When you try to run any of these, a message is displayed informing you that these programs are infected and recommending you to install the fake antivirus to solve the problem.

The following image belongs to the message that is displayed when Firefox is run:

It also contains code to uninstall different security solutions. This way, the computer would be unprotected and the real antivirus programs could not detect it.

Update:

When browsing through the Internet Explorer, from time to time it displays the following website, warning you that the website you’re going to access is dangerous:

You can get more information about this rogue in the following link:

https://www.pandasecurity.com/homeusers/security-info/217799/AntivirusXP2010

Exit mobile version