Panda Security’s weekly report on viruses and intruders
August 2009 by Panda Security
This week’s PandaLabs report looks at the Lineage.LAS worm and the SecretService fake antivirus.
The Lineage.LAS worm spreads through mapped drives. It copies itself to several folders and downloads a malicious file. It also creates a file called Autorun.inf which allows it to run every time the user opens a folder.
Additionally, it modifies the Windows registry to run on every system restart. One of the malicious actions the worm carries out on infected computers is to prevent users from viewing hidden files and folders.
SecretService is yet another example of the now widely spread fake antiviruses. This malicious code tries to trick users into believing their computer is infected. To do this, it generates numerous junk files, and offers users the possibility of buying an antivirus solution through an online transaction to remove them. This way, it steals users’ credit card details.
As you can see in the image (see photo on Flickr: http://www.flickr.com/photos/panda_...), SecretService carries out a fake computer scan, displaying an undetermined number of problems, and offers users the possibility of installing a security software. Once installed, SecretService’s interface looks very similar to that of traditional antiviruses, even displaying the Windows Security Center page.
SecretService can also display fake warnings reporting malicious files, registry errors, etc. (see photo on Flickr: http://www.flickr.com/photos/panda_...). These warnings are accompanied by a very characteristic sound. Other actions it carries out to make users believe they are infected include modifying the computer wallpaper. To make the program look more authentic, it inserts an icon in the browser taskbar. Finally, it displays a screen which requires the software to be upgraded to its paid version in order to eliminate all threats. Then, if users enter their banking details, they will be stolen.
This fake antivirus reaches computers when users access a malicious web page and agree to install the program.