Thursday, August 30, 2012

Fake Symantec security check

Antivirus vendors sending out warnings to perform a scan of your computer? Sure, that must be legit... Right?



Email claiming to be from Symantec


If you click on download, a file called RemovalTool.exe will be downloaded.

The malware authors have used the Java symbol as icon. Not sure what's up with that, haven't they been following the news? ;-)


Java icon, trying to trick the user


RemovalTool.exe
Result: 3/42
MD5: ebb4ac5bb30b93e38a02683e3e7c98c6
VirusTotal Report
Anubis Report


When executing the file, you get a nice installer screen:


Alleged Java Setup screen


In the background, the following file is downloaded and executed:

Plugin[1].dll & JavaUpdate.dll
(it's the same file, just a different name so not to raise suspicion)
Result: 19/42
MD5: 67096009f35c6894441a221b6429d27c
VirusTotal Report


JavaUpdate.dll gets injected into explorer.exe to carry out other malicious activities and to ensure that it starts automatically.


The file tries to connect to URLs above




Conclusion

Always be wary when receiving a mail, even if it seems to be from an Antivirus vendor. In this case, the malware authors try to scare the user by saying you are infected and need to download a file to clean it up.

In case of doubt, perform a scan with your installed Antivirus and an online scan from another vendor. Remove the mail.



No comments:

Post a Comment