MISCELLANEOUS

Beware: Rogue AV Disguised as Bank Statement

Watch out if you get email messages with attachments named like

 

During these past few days we’ve seen here at BitDefender millions of spam messages either bundled with malware or containing a dangerous link. In this particular case I chose to present here, cyber-crooks tried to con the users by exploiting the natural and justified concern for their financial situation, serving them unsafe though extremely appealing attachments.

 

So, all in the name of money deposited in bank accounts and goods delivered via the postal service, there have been circulating e-mails with attached financial statements or postal documents. These are basically two facets of the same piece of malware – a downloader (identified by BitDefender as Trojan.Generic.KDV.280912) masquerading a Microsoft Word icon but bearing an .exe extension.

 

Once the downloader is executed on the system, it copies itself at startup under the name of dxdiag.exe (dxdiag.exe is, by the way, the name of an executable component of the Microsoft DirectX® collection of APIs); it then inject itself in svchost.exe while trying to download a fake AV (detected by BitDefender Gen:Variant.FakeAlert.88) from one of the following two addresses http://bedo[removed]11.ru and http://wa[removed]92953.

 

Furthermore, in order to keep an evidence of the compromised systems, the rogue AV sends a GET request to a Russian website with the computer ID, Windows version and uptime passed as parameters.

 

Also, usual Fake AV behavior is also present: the application floods the screen with lots of warning pop-ups to scare the user into buying a useless disinfection tool. Plus, it proceeds to shutting down all the processes the user tries to initialize, displaying further pop-up windows stating that the opened programs are infected with a virus:

 

Fig.1 Alarmist pop-up windows “announcing” the user that the system is full of malware

  

 

Fig.2 Another variant of bogus detection pop-up  window

 

Fig.3  Pop-up window claiming that the recently accessed program is infected

 

 

Fig.4  Fake update window

 

And now a few tips to help you stay out of trouble while “handling” your inbox:

 • avoid downloading or open e-mail attachments before scanning them first; remember that cyber-crooks use appealing names for their malware pieces;   

• don't open just any attachment that promises to offer you financial status. Such information is always provided to you in person by the bank you are working with.

• as mobile users, you should also keep a close eye on their inboxes, as MMS and other type of messages would try to lure you into clicking on links or calling numbers to overcharge your bills.

• last but not least, install a security solution on your systems.

This article is based on the technical information provided courtesy of Răzvan Benchea, BitDefender Virus Analyst.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

About the author

Loredana BOTEZATU

A blend of teacher and technical journalist with a pinch of e-threat analysis, Loredana Botezatu writes mostly about malware and spam. She believes that most errors happen between the keyboard and the chair. Loredana has been writing about the IT world and e-security for well over five years and has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.