Panda Security’s weekly report on viruses and intruders
December 2009 by Panda Security
This week’s PandaLabs report looks at a new fake antivirus and two Trojans.
AntiTroy is the name of the new fake antivirus. This type of malware passes itself off as legitimate security applications in order to steal users’ money by tricking them into believing that they will eliminate threats -that in reality do not exist-.
As soon as AntiTroy is installed, a warning is displayed, indicating the computer is in danger. It then simulates a system scan (see photo on Flickr: http://www.flickr.com/photos/panda_...) reporting a series of infections to scare users into buying the fake antivirus solution. When the scan ends, AntiTroy displays a window offering a solution which requires activating the fake antivirus.
However, to activate the product, users must pay a fee to the supposed anti-malware vendor (see photo on Flickr: http://www.flickr.com/photos/panda_...). After this, users receive a code they must enter in the program. Once they do this, the malicious code stops displaying warnings about threats. This aims to make users believe they have actually bought an antivirus product, whereas, in reality no infection has been removed and users are no more protected than they were before. This way, apart from paying for a non-existing solution, the bank details entered could be stolen by cyber-crooks.
Banbra.GMH is a banker Trojan. It is usually inserted in an email that claims to contain photos of a party (see image on Flickr: http://www.flickr.com/photos/panda_...). On downloading the supposed photo, a file called "convite.zip" is downloaded, which contains an executable with the same name. When run, it simulates an error claiming the program to view the photo must be closed, and it then stops running. Before doing so however, it releases another executable and a DLL. This second executable will be started in each user session and will register the DLL as an Internet Explorer plug-in, creating two files from which it collects bank details entered by the user in the browser, to be sent to cyber-crooks later on.
Finally, Kates.D is a Trojan that modifies the Windows settings. It blocks access to websites, redirecting users to another site and monitors network traffic. Additionally, it searches for and ends processes related to antiviruses and computer security programs.