In the recent FAKEAV spam campaign, I realized something was off. Once the user clicks the URL and gets the bogus Antivirus 2010 up and running on his/her system, files are added. The additional files I found were related to ClamAV, the open source AV toolkit for UNIX. The files include the ClamAV virus definition file and some newly downloaded DLLs such as htmlayout.dll and pThreadVC2.dll. These files (DLLs and ClamAV definition file) are needed to run the open source antivirus software. So why are legitimate AV-related files included in the routines of a FAKEAV malware?

The files arrived from the first download routine of the FAKEAV installer. It also drops randomly named garbage files into the system that will later be detected as “infected.” Curious about all this, I downloaded the real ClamAV to further test if the fake scan was actually using the definition file to scan. After replacing the FAKEAV definition file for the latest one, it still detected the garbage files as “infected.” The second test I made was to take the FAKEAV definition file and run it in a real ClamAV scan against the files. However, it still showed the same results. Apparently, the ClamAV-related files were not being used at all.

The only conclusion I was left with is that the legitimate files are just a decoy to give a legitimate facade to the whole scam. Cybercriminals are also probably employing this tactic to avoid analysis behavior detection and removal. Some behavior-analyzing software might be deceived that the FAKEAV is real because of the legitimate antivirus files running in the system. I doubt it, but who knows? It might just work.

Microsoft’s new OS, Windows 7, was made available to the general public earlier today. To say that this was eagerly anticipated is an understatement, however, as in the United Kingdom, pre-orders on Amazon for copies exceeded both the last book of the Harry Potter series as well as the Nintendo Wii. This made it the biggest grossing pre-ordered item in the history of the online retailer’s British site.

Trend Micro Senior Threat Researcher David Sancho had this to say about the new OS:

Microsoft has been improving the security of its OS that is why there are fewer network vulnerabilities every time. Having said that though, security cannot be taken for granted and there’s always room for improvement. The Web is today the biggest infection vector therefore hardening the OS needs to be complemented with strengthening the browser and applications used to visualize Web pages (such as Adobe Acrobat, Flash, etc.).

Now, users may wonder if their Trend Micro products will work with Windows 7. The answer is yes. Programs such as Trend Micro Internet Security will work just as well in Windows 7 as in previous versions like XP and Vista. Whether users upgrade or stick with their current OS, they can continue to rely on their existing Trend Micro software. Even HouseCall, our free online scanner, will run under Windows 7.