We are seing these kind of emails very frequently and they all look very much the same, even if the senders change the style every now and then. These mails get sent in huge amounts in order to reach as many people as possible which may fall for the trick and infect their computers with the malware.

Attached to the current mail is a ZIP archive which contains a Trojan of the Ofida family. Once executed, this Trojan downloads further malicious code and installs additionally a so called FakeAV. This is a fake antivirus software which detects alleged infections on every computer and tries to scare the user.

As soon as the system is infected with the Trojan it blocks execution of new programs and shows a message box which tells the user that the software has been infected.

To get rid of these alleged infections, the user is supposed to buy the full version of the software.

So the user is asked to pay 50 US-$ for disabling the malware – which might not even work properly as there was further malware downloaded. Don’t ever pay for such scareware!

Avira protects from this piece of malware which is detected as TR/VB.Inject.33280.DG with the VDF version 7.10.07.48.

Thomas Wegele
Virus Researcher