Tweet

Fake/rogue antivirus strikes again, this time targeting the users in Brazil. Like in today’s malware trends, it did not come alone.

It initially starts with a spam message:

SUBJECT:
Hello, I am sending you my invitation to the graduation location, date and time

BODY:
Hello, I am sending you my invitation to the graduation location, date and time.
I count on your presence.
We are there,
Abraços …

ATTACHMENT:
ConviteFormatura.pps (52KB)

The malware gets installed once the user opens the attachment—which leads to the malfunction of several executables in the system. The malware is also able to disrupt the normal functions of the Windows shell, consequently resulting in difficulty opening folders.

Attempts to open files created in the programs affected by this malware would result to the display of a fancy error message reassuring the user that there is a solution to the error being experienced. Clicking the said message’s [Click here] button brings the user to the Brazilian site Byte Clark, which offers yet another fake antivirus by the same name. Users are then advised to purchase the program to restore the system (a routine which therefore qualifies this as ransomware).

Trend Micro detects the fake antivurs as TROJ_FAKEAV.BBH. Running the program only removes the files added by the original malicious attachment. It is also able to collect specific data from the user’s computer and send it to a predefined email address.

Spam is a common delivery vehicle for malware, not just being limited to rogue antivirus. And as usual, people behind this scam rely on the user’s panic to look for a quick solution. As spammers/scammers use more pleasant/kinder wordings to get their message across, users are advised to exercise caution.

Users under the Smart Protection Network are already protected against this threat.