Tweet

While scouting the Web for the latest threats, Trend Micro threat analysts stumbled upon FAKEAV variants riding on the impending eruption of the Mayon Volcano. Renowned for its “perfect cone” shape, the Mayon Volcano became one of the candidates for inclusion in the New 7 Wonders of Nature list. It is not surprising, therefore, that news of its impending eruption, during the Christmas holidays no less, will attract the attention of both curious onlookers and concerned individuals alike.

Close on the heels of users seeking out news on the event, of course, are cybercriminals with their usual blackhat SEO tactics. Searching for news on the topic on Google using the string “Mayon Volcano eruption” may lead users to the malicious URL http://{BLOCKED}acsi.com/fgq.php?in=mayon%20volcano%20eruption. Clicking the link redirects users to the CNN homepage unless their browser has google.com as referrer, in which case, they are redirected to another malicious URL, http://{RANDOM}.xorg.pl. Afterward, they will again be redirected to any of the following URLs where FAKEAV variants are downloaded onto their systems:

• http://{BLOCKED}can.com, which redirects to http://{BLOCKED}m.cn, where they will prompted to download install14300.exe (detected by Trend Micro as TROJ_FAKEAV.MVE)
• http://{BLOCKED}puter22.com, which redirects to http://{BLOCKED}omputer.com, where they will be prompted to download setup_build6_195.exe (detected as TROJ_FAKEAV.PTO)
• http://{BLOCKED}antispywaresolutions.com where they will be prompted to download install.exe (detected as TROJ_FAKEAV.XMS)

Smart Protection Network protects Trend Micro product users by preventing user access to the said malicious sites and detecting and by blocking the download of all related malicious files. As added precaution, however, users are advised to only rely on trusted news sites for updates on the event.