Panda Security’s weekly report on viruses and intruders
November 2008 by Panda Security
A new fake antivirus (the AntivirusPro 2009 adware), and the Gimmiv.C and Boface.C worms designed to spread on social networks such as Facebook and MySpace are the subjects of this week’s PandaLabs report.
AntivirusPro 2009 is a malicious code that passes itself off as a trial anti-malware solution. Once installed on the computer, it makes users believe their computer is infected to make them purchase the full, pay version of the fake antivirus. This way, cyber-crooks gain financial benefits from their infections. According to data collected by PandaLabs, over 30 million computers worldwide could be infected by fake antiviruses.
Gimmiv.C is a worm designed to exploit one of the latest Microsoft Windows vulnerabilities (MS08-067). When run on the computer, it drops two malicious files onto the system.
One of the malicious files is vista.exe, an IP scanner that scans the subnet range of the local network searching for computers with port 445 open. Then, the worm runs another file downloaded (Mrosconfig.exe), which is used to exploit the MS08-067 vulnerability. Gimmiv.C uses this malicious code on the vulnerable computers found in the scan. It also makes one of the computers download other malware by connecting to a certain URL.
Finally, Boface.G is a worm designed to spread on social networks such as MySpace or Facebook.
This worm posts a link to a fake YouTube video on the infected user’s profile or contacts panel, or sends the contacts a private message with the link. When they try to watch the video (which seems to come from one of their friends) they are taken to a Web page where they are encouraged to download a Flash Player update to watch it. However, if they do so, they will let a copy of the worm into their computers and will infect all of their contacts.