FakeAV, with sound

Whilst investigating a couple of issues earlier this morning, I came across a new fake alert malware distribution site, pushing out samples of XL Guarder. Though this particular strain of fake alert malware is not new, it is the first sample of this family I have taken a look at. I was amused to see this particular family using MP3s in addition to the usual pop-ups.

The malware is installed via a Nullsoft installer. When run, the malware is installed (within the Program Files directory), and a small green and silver icon appears in the systray. Subsequently (or on clicking this icon), the user is alerted to a serious system error.


Accompanying the alert is some audio, a transcript of which is below.

Serious system error.
Unauthorised access to system.
Critical threat to privacy and to safety of the information.

Subsequently the full UI is shown:


Once the scan has completed, the user has the pleasure of more audio (cannot pick out last few words of this one – blame the combination of a heavy accent and an awful echo sound effect):

The scan has discovered unsafe files, which can be a result of visiting porn sites or virus activity on your computer.
Perform system cleaning immediately.
If you do not have time for its completion ? ? ?

Choosing the ‘clean later’ option rewards you with the final audio:

The given actions strongly not recommended.
Traces of virus activity are found on your computer.
This can lead to system crash and to loss of all information.

In terms of protection:

  • scripts on the distribution site from where the malware is downloaded from are proactively detected as Mal/ObfJS-BN
  • the malware was proactively blocked as Sus/Behav-269

Additionally, generic detection for this family has been published as Mal/FakeAV-Q. Prevention is always better than cure (and will hopefully spare anyone else the terrible MP3s!).