The fake antivirus authors and distributors are creative in spreading their malware. For example, last week we found some fake antivirus spreading via a fake Firefox/Flash Player update site.

This week they are moving to the next social engineering scheme, spreading the malware via old style spam emails with the subject: “Review your annual Social Security statement”.

The email carries an attachment with the name “statement.zip” which contains the malware “statement.exe” and gets detected proactively by Avira with a heuristic detection as TR/Crypt.XPACK.Gen.

Upon execution of the email attachment, the file downloads two other binary files. One is the “SecurityTool” fake antivirus scanner and the other file is a backdoor. Avira is detecting the fake antivirus as TR/FakeAV.HA and the backdoor component as BDS/Reberi.A.

The Trojan TR/FakeAV.HA displays typical fake antivirus messages after the file has been downloaded and executed.

Thomas Wegele
Virus Researcher