FakeAV -- Now with Porn!

Filed Under: Malware, SophosLabs

Once upon a time, surfing to a compromised porn site exposed the user to fake antivirus software through driveby downloads.

I recently came across a sample that turns this concept around. Running the executable file does nothing at first but after a random time interval it pops up a window while pretending to run a scan.

Standard fake AV window.  Nothing new here.

Standard fake AV window. Nothing new here.

When this fake scan completes, the user is prompted.

No, thanks.

No, thanks.

Twice. Notice how the wording has changed forcing the user to read carefully?

No! Uh... I mean yes.

In addition to constantly warning the user of non-existent attacks and infections, this fake AV software does something new. Every few minutes it launches an instance of Internet Explorer and navigates to an adult web site. The user could easily leave the computer unattended and come back to find the screen full of porn.

Screenshot not available

Screenshot removed by editor

Sophos detects this rogue AV as Troj/FakeVir-NV

,

You might like