Trend Micro came across a new FAKEAV variant that does not only perform the usual fake alert routine but also downloads an additional component—a .DLL file that is inserted into the Layered Service Provider (LSP) chain.
By inserting itself into the LSP chain, the said .DLL file will be loaded whenever an application uses Windows Socket (Winsock). LSP technology is often exploited by malware. In this case, this FAKEAV’s purpose is to prevent Web browsers from accessing certain sites.
The .DLL file’s code lists popularly accessed websites such as facebook.com, youtube.com, and myspace.com, among others. When executed, it checks whether the application that loaded it was any of the following, after which it will start blocking sites:
It replaces the HTML content of the accessed site with the one shown below.
It will only allow the users access if the registry key, HKEY_CURRENT_USERSoftwareIS2010, exists in their systems. However, the said key will only exist if the FAKEAV application Internet Security 2010 (aka TROJ_FAKEAL.SMDO, TROJ_FAKEAL.SMDP, or TROJ_FAKEINIT.BC), is present on the affected system. Thus, this alert will continue to appear as long as the above FAKEAV variants have not been “installed” on the affected system.
With this new technique, this malware tends to cause more panic for users, as accessing any of the mentioned sites will display a fake alert, making them believe that the site they are trying to access is indeed restricted. They will then be more likely to install any antivirus product and thus more inclined to ”install” and pay for the rogue antivirus.
Trend Micro product users need not worry, however, as Smart Protection Network™ protects their systems from this threat by detecting and blocking the download of the malicious files onto their systems via the file reputation service. Non-Trend Micro product users can also stay protected via free tools like HouseCall, Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plug-ins, and other malware.