Yet more FakeAV trickery

Today I was doing some analysis when I ran across this gem in our queues. It’s Troj/FakeAV-DB. but what made this one entertaining was the EULA. Now I appreciate many people do not read EULAs, but I found this one interesting, so I’m going to point out a few of the interesting bits in this one.

This is the beginning of the EULA:

fake-eula1.JPG

Now what I like here is that it says you can’t click no or refuse. There is obviously no “I do not agree” nor “no” button, just the “Agree and Install” button, and no way to close the window. I did try “negative” hand gestures to the screen, but those were also unsuccessful.

A bit further down was this bit:

fake-eula2.JPG

“Incompatible software” – this could well be your firewall or AV product. Remember, you are agreeing to this when you click the button.
They have a massive list in there of under what conditions they will _not_ offer a refund, but are purposefully vague on when they would offer a refund (try never).

I let it complete the install, then just for laughs tried to uninstall. It gives the infamous error message of “Uninstall.exe has encountered a problem and needs to close. We are sorry for any inconvenience.”

Now my absolute favorite bit of this – I decided to look up the “malware” descriptions it provided during its scan of the system. The descriptions were stolen verbatim from here:

http://www.nod32tw.com/softdown/manual/Global_Threat_Trends_May.pdf

If imitation is the sincerest form of flattery, the folks at Eset should be flattered indeed.