FakeAV Generates Own Fake Malware

We’ve all seen FakeAV applications deliberately misreporting malware detection and encouraging the user to buy their “products”. The slew of these fake anti-virus applications has been relentless. My colleague, Pete, has highlighted the importance of taking adequate measures to ensure that you do not fall for such scams.

This FakeAV ups the ante further.

Take a look at the following folder:

This is the typical My Documents folder for Windows. It shows the folder is by and large, empty with the exception of a few folders.

We now turn our attention to the FakeAV in question. When this particular Trojan (Troj/FakeAV-AAB) is executed, the following dialog box is displayed:

No suprises there. Most Fake AV applications display a rather decent GUI (Graphical User Interface) that tries to make you think that they’re from legitimate anti-virus vendors. Needless to say (hmmm…. that is a bit of an oxymoron), getting the full useless license requires you to invoke the necessary step of you having to part ways with the money that is sitting nice and warm in your wallet.

I proceeded to do a scan using the Spyware Scanner option.

To my surprise, the fake anti-virus application purports to report positive detections for files in a folder that I had known by all accounts, empty. Have these malware authors messed up? Or have they gotten so lazy that they cannot be bothered to do a proper file scan anymore?

Puzzled, I decided to recheck the folder and lo, behold:

Wait a minute…. the files now magically appear just after I run the scan on the fake anti-virus application? Had I miss something?

Of course not.

What has gone on here is something that is rather sneaky. Instead of blatantly and randomly misreporting files as malware, what this Trojan has done is to deliberately spawn/create new junk files on the infected computer, with random names and random file extensions and proceeded to detect them! To make matters worse, these files manifest themselves in various folders like the My Documents folder and Windows folder.

Thankfully, these files are not malicious by themselves. They consist of random junk data (the files can be safely removed from the infected computer via the good ol’ “Hit the Del key and empty the Recycle/Trash Bin” method).

To top it all off, like all other FakeAVs, this Trojan also periodically pesters you with annoying popup messages asking you to buy their product. And I thought such applications can’t get more annoying, was I wrong indeed!

Talk about rubbish producing and detecting more rubbish.