Fake/rogue antivirus strikes again, this time targeting the users in Brazil. Like in today’s malware trends, it did not come alone.

It initially starts with a spam message:

SUBJECT:
Hello, I am sending you my invitation to the graduation location, date and time

BODY:
Hello, I am sending you my invitation to the graduation location, date and time.
I count on your presence.
We are there,
Abraços …

ATTACHMENT:
ConviteFormatura.pps (52KB)

The malware gets installed once the user opens the attachment—which leads to the malfunction of several executables in the system. The malware is also able to disrupt the normal functions of the Windows shell, consequently resulting in difficulty opening folders.

Attempts to open files created in the programs affected by this malware would result to the display of a fancy error message reassuring the user that there is a solution to the error being experienced. Clicking the said message’s [Click here] button brings the user to the Brazilian site Byte Clark, which offers yet another fake antivirus by the same name. Users are then advised to purchase the program to restore the system (a routine which therefore qualifies this as ransomware).

Trend Micro detects the fake antivurs as TROJ_FAKEAV.BBH. Running the program only removes the files added by the original malicious attachment. It is also able to collect specific data from the user’s computer and send it to a predefined email address.

Spam is a common delivery vehicle for malware, not just being limited to rogue antivirus. And as usual, people behind this scam rely on the user’s panic to look for a quick solution. As spammers/scammers use more pleasant/kinder wordings to get their message across, users are advised to exercise caution.

Users under the Smart Protection Network are already protected against this threat.

Spammers know a thing or two about persistence, it seems. CNET reports a new Trojan—TROJ_QHOST.TB—that is the latest to take advantage of fears of swine flu. TROJ_QHOST.TB modifies the HOSTS file of any affected system, which results to the user being redirected to a spoofed banking-related website whenever they attempt to access the real ones. By which, users are placed at risk of getting their banking information stolen and having it used by an unauthorized user.

The attack is pretty similar to earlier ones that have also taken advantage of the swine flu. Spam messages with warnings contain either a link to a malicious website or an attachment to TROJ_QHOST.TB. In turn, the Trojan modifies the system’s HOSTS file to redirect users of certain Mexican banks to a specific IP address.

Fortunately, however, the said IP address doesn’t work anymore. However, there’s nothing that stops future variants—or other Trojans—from using the same lure. Users should consider themselves warned.

The official launch of the Windows 7 Release Candidate last May 5 was soon followed by another version of the software, only that this other version came with a malware surprise.

A file being hosted in popular torrent sites posing as a copy of the Windows 7 RC was found to be a Trojan by security researchers. The file which arrives with the file name setup.exe is detected as TROJ_DROPPER.SPX. TROJ_DROPPER.SPX drops TROJ_AGENT.NICE. Both files are detected by the Smart Protection Network.

Windows 7 Release Candidate was leaked a couple of weeks prior to the official release, and was also hosted by and downloaded from popular torrent sites. This was followed by a reported downtime in the download page for the Windows 7 Beta, which was attributed to too many download requests.

With Windows 7 showing much promise as early as now, it isn’t really surprising that cybercriminals are using the operating system to distribute malware not necessarily as a platform, but as a social engineering technique.

Those interested in obtaining a copy of the release candidate are advised to get it from the Microsoft Windows 7 website.