In the recent FAKEAV spam campaign, I realized something was off. Once the user clicks the URL and gets the bogus Antivirus 2010 up and running on his/her system, files are added. The additional files I found were related to ClamAV, the open source AV toolkit for UNIX. The files include the ClamAV virus definition file and some newly downloaded DLLs such as htmlayout.dll and pThreadVC2.dll. These files (DLLs and ClamAV definition file) are needed to run the open source antivirus software. So why are legitimate AV-related files included in the routines of a FAKEAV malware?

The files arrived from the first download routine of the FAKEAV installer. It also drops randomly named garbage files into the system that will later be detected as “infected.” Curious about all this, I downloaded the real ClamAV to further test if the fake scan was actually using the definition file to scan. After replacing the FAKEAV definition file for the latest one, it still detected the garbage files as “infected.” The second test I made was to take the FAKEAV definition file and run it in a real ClamAV scan against the files. However, it still showed the same results. Apparently, the ClamAV-related files were not being used at all.

The only conclusion I was left with is that the legitimate files are just a decoy to give a legitimate facade to the whole scam. Cybercriminals are also probably employing this tactic to avoid analysis behavior detection and removal. Some behavior-analyzing software might be deceived that the FAKEAV is real because of the legitimate antivirus files running in the system. I doubt it, but who knows? It might just work.