Panda Security’s weekly report on viruses and intruders
August 2009 by Panda Security
This week’s PandaLabs report discusses the SaveSoldier fake antivirus and the Ramson.G worm.
The first malware we’re looking at this week is another example of malicious programs that pass themselves off as legitimate software applications in order to steal users’ money by tricking them into believing that they will eliminate (non-existent) threats. For more information about this type of malicious program, read "The Business of Rogueware" a report on fake antiviruses written by Luis Corrons and Sean-Paul Corell, PandaLabs researchers.
This fake antivirus is designed to collect personal and bank details provided by users when they buy it. This malware scans the system searching for infected software and displays an interface which resembles the interface of a typical antivirus program. It then asks users to buy and install certain software to resolve problems caused by the malicious software supposedly detected on the computer.
When the fake antivirus ‘detects’ infected files, it prompts the user to enter a code they will receive when they buy the antivirus pack. To do so, users are redirected to a page where they can purchase the software using a credit card. It also displays several warnings informing about malware problems, registry errors, etc.
The second example of malware in this report is the Ramson.G worm, which appears on screen with the icon of an executable file and constantly launches the Windows taskkill utility to eliminate processes, passing a series of commands. When the computer is restarted, a message in Russian is displayed and a code to access the system is requested. Once the code is entered, it displays another message and restarts the system.
It spreads through mapped, shared and removable drives. It uses its autorun.inf configuration file for malware to self execute through these drives.